jaeger-clickhouse icon indicating copy to clipboard operation
jaeger-clickhouse copied to clipboard

Published 20 hours ago verified publisher icon jaegertracing

[Bug]: Resolve High CVEs

Open sonrai-doyle opened this issue 2 years ago • 0 comments

What happened?

We currently use the jaeger-clickhouse image and our security team has flagged it as being impacted by two HIGH CVEs

  • CVE-2022-41721
  • CVE-2022-32149

To resolve these CVEs the following packages need to be updated to a minimum version of:

  • golang.org/x/net - 0.1.1-0.20221104162952-702349b0e862
  • golang.org/x/text - 0.3.8

We prefer to have the packages fixed upstream to ensure that everyone can benefit from the updates.

Steps to reproduce

Using a vulnerability scanners (e.g. aqua/trivy) scan the jaeger-clickhouse image

trivy image jaeger-clickhouse:0.13.0

Expected behavior

No vulnerabilities listed.

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

No response

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

sonrai-doyle avatar Jan 24 '23 20:01 sonrai-doyle