cri-tools icon indicating copy to clipboard operation
cri-tools copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Release new version of cri-tools

Open guntukaramakrishna opened this issue 10 months ago • 2 comments
trafficstars

What happened:

This vulnerability https://pkg.go.dev/vuln/GO-2024-3333 is reported with 1.32.0 version of cri-tools.

What you expected to happen:

We already see golang.org/x/net is upgraded to v0.33.0 version in go.mod. With the current changes, I think you need to release new version of cri-tools.

How to reproduce it (as minimally and precisely as possible):

No steps to reproduce as it is vulnerability

Anything else we need to know?:

Nope

Environment:

None

guntukaramakrishna avatar Jan 09 '25 13:01 guntukaramakrishna

usr/local/bin/crictl,filesystem,["CVE-2024-34156"] is also being reported in AKS builds as well.

AlisonB319 avatar Mar 25 '25 21:03 AlisonB319

We get this vulnerability in scans: https://nvd.nist.gov/vuln/detail/CVE-2025-22871 Fixed in go1.24.2.

amadeusz-ds avatar May 22 '25 16:05 amadeusz-ds

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 20 '25 17:08 k8s-triage-robot

Closing this in favor of https://github.com/kubernetes-sigs/cri-tools/issues/1877

saschagrunert avatar Aug 21 '25 08:08 saschagrunert