buildkit icon indicating copy to clipboard operation
buildkit copied to clipboard
verified publisher icon moby

Fix code scanning alert - CVE-2024-24791 / CVE-2022-30635 / CVE-2024-34155 / CVE-2024-34156 / CVE-2024-34158

Open crazy-max opened this issue 1 year ago • 1 comments

Tracking issue for:

  • [ ] https://github.com/moby/buildkit/security/code-scanning/5
  • [ ] https://github.com/moby/buildkit/security/code-scanning/20
  • [ ] https://github.com/moby/buildkit/security/code-scanning/17
  • [ ] https://github.com/moby/buildkit/security/code-scanning/18
  • [ ] https://github.com/moby/buildkit/security/code-scanning/19

Relates to upstream cni project https://github.com/moby/buildkit/blob/148c80ba931d0bf02a0cdb7c56a58363a475daff/Dockerfile#L9

Looking at their release workflow: https://github.com/containernetworking/plugins/blob/acf8ddc8e1128e6f68a34f7fe91122afeb1fa93d/.github/workflows/release.yaml#L19 a new release would fix it.

crazy-max avatar Aug 08 '24 17:08 crazy-max

looks like the current release is also affected by CVE 2024-24790. Please bump the golang version as well 🙏🏼.

https://github.com/golang/go/issues/67680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790

antemasqued avatar Sep 20 '24 17:09 antemasqued