calico Critical CVEs found in calico/dikastes, kube-controllers, node, pod2daemon-flexvol, typha -> v3.23.3

Critical CVEs found in calico/dikastes, kube-controllers, node, pod2daemon-flexvol, typha -> v3.23.3

Open codechris1 opened this issue 2 years ago • 1 comments

Our Security Scanning tools have identified CVEs in calico/dikastes, kube-controllers, node, pod2daemon-flexvol and typha images. Can you please review this and help us with an update on following:

Documentation that explains the mitigation strategy that we can apply to reduce the severity level

Details on when is this going to be fixed with the expected version number and if its already fixed which version number is it fixed in.

Issues found in build: calico/dikastes, kube-controllers, node, pod2daemon-flexvol, typha -> v3.23.3

CVE-2022-27664

CVE Description

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1; attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Sep 29 '22 21:09 codechris1

@codechris1 these are on our radar and we are planning on patch releases within the next few weeks to fix these. Off the top of my head the version numbers should be v3.23.4 and v3.24.2.

Sep 30 '22 05:09 mgleung

calico calico copied to clipboard

Critical CVEs found in calico/dikastes, kube-controllers, node, pod2daemon-flexvol, typha -> v3.23.3

calico
calico copied to clipboard