release icon indicating copy to clipboard operation
release copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

feat: release new debian-base image

Open awatterson22 opened this issue 1 year ago • 4 comments

What would you like to be added:

A new release for registry.k8s.io/build-image/debian-base

Why is this needed:

The current version: registry.k8s.io/build-image/debian-base:bookworm-v1.0.4, has a package: libexpat1 that contains a CRITICAL security vulnerability. I am trying to use this image registry.k8s.io/sig-storage/smbplugin:v1.15.0 and this image uses the above image as a base. They can't upgrade to the new remediated version of libexpat1 which is 2.6.3-1, so we need the base image to be updated.

           _            _ _
 __      _(_)____   ___| (_)
 \ \ /\ / / |_  /  / __| | |
  \ V  V /| |/ /  | (__| | |
   \_/\_/ |_/___|  \___|_|_|
 SUCCESS  Ready to scan Docker image registry.k8s.io/sig-storage/smbplugin:v1.15.0                                                                                                                       
 SUCCESS  Scanned Docker image                                                                                                                                                                                            
 SUCCESS  Docker image scan analysis ready                                                                                                                                                                                
OS Package vulnerabilities:
.
.
.
    Name: libexpat1, Version: 2.5.0-1
        CVE-2024-45490, Severity: CRITICAL, Source: https://security-tracker.debian.org/tracker/CVE-2024-45490
        CVE-2024-45491, Severity: HIGH, Source: https://security-tracker.debian.org/tracker/CVE-2024-45491
        CVE-2024-45492, Severity: HIGH, Source: https://security-tracker.debian.org/tracker/CVE-2024-45492
        CVE-2023-52425, Severity: LOW, Source: https://security-tracker.debian.org/tracker/CVE-2023-52425
            CVSS score: 7.5, CVSS exploitability score: 3.9
            💥 Has public exploit
        CVE-2023-52426, Severity: LOW, Source: https://security-tracker.debian.org/tracker/CVE-2023-52426
            CVSS score: 5.5, CVSS exploitability score: 1.8
        CVE-2024-28757, Severity: LOW, Source: https://security-tracker.debian.org/tracker/CVE-2024-28757
.
.
.

awatterson22 avatar Sep 17 '24 20:09 awatterson22

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Dec 16 '24 21:12 k8s-triage-robot

Looks like this is still not done https://github.com/kubernetes/release/blob/3a3603ca2fb0a33b1864d9a64765adbb0200ca92/dependencies.yaml#L412

/remove-lifecycle stale

xmudrii avatar Dec 16 '24 22:12 xmudrii

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Mar 16 '25 23:03 k8s-triage-robot

/remove-lifecycle stale

xmudrii avatar Mar 18 '25 16:03 xmudrii

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jun 16 '25 16:06 k8s-triage-robot

/remove-lifecycle stale

xmudrii avatar Jun 16 '25 16:06 xmudrii

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 14 '25 18:09 k8s-triage-robot

/remove-lifecycle stale

xmudrii avatar Sep 18 '25 08:09 xmudrii