prometheus-adapter icon indicating copy to clipboard operation
prometheus-adapter copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Security fixes for version v0.11.2

Open manikantanallagatla opened this issue 2 years ago • 5 comments

What happened?: Hi,

Can anyone provide any expected date for the security upgrades of following dependent packages in Prometheus adapter: https://github.com/advisories/GHSA-rcjv-mgp8-qvmr https://github.com/advisories/GHSA-2wrh-6pvc-2jm9 https://github.com/advisories/GHSA-4374-p667-p6c8 https://github.com/advisories/GHSA-qppj-fm5r-hxr3

What did you expect to happen?: We expected these fixes in v 0.11.2.

Please provide the prometheus-adapter config: V0.11.2 does not have these fixes.

Please provide the HPA resource used for autoscaling: NA

Please provide the HPA status: NA

Please provide the prometheus-adapter logs with -v=6 around the time the issue happened: NA

Anything else we need to know?:

Environment:

  • prometheus-adapter version: v0.11.2
  • prometheus version:
  • Kubernetes version (use kubectl version):
  • Cloud provider or hardware configuration:
  • Other info:

manikantanallagatla avatar Nov 17 '23 09:11 manikantanallagatla

@manikantanallagatla How did you get v0.11.2? Did you find the docker image somewhere? Or did you build it yourself?

data-dude avatar Jan 11 '24 15:01 data-dude

/assign @rexagod /triage accpeted

@rexagod will check to see if we are actually impacted by the vulnerabilities

dashpole avatar Jan 11 '24 17:01 dashpole

@dashpole: The label(s) triage/accpeted cannot be applied, because the repository doesn't have them.

In response to this:

/assign @rexagod /triage accpeted

@rexagod will check to see if we are actually impacted by the vulnerabilities

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 11 '24 17:01 k8s-ci-robot

/triage accepted

dashpole avatar Jan 11 '24 18:01 dashpole

We have also scanned the prom-adapter v0.11.2 image with ORCA and it found some more CVEs as mentioned below

CVE Package
CVE-2023-47108 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
CVE-2023-45142 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
CVE-2023-39325 golang.org/x/net
CVE-2023-44487 golang.org/x/net
CVE-2023-44487 google.golang.org/grpc
CVE-2023-48795 golang.org/x/crypto
CVE-2023-3978 golang.org/x/net

It would be good to get them patched as soon as possible.

sumitgupta21 avatar Mar 14 '24 12:03 sumitgupta21