kminion icon indicating copy to clipboard operation
kminion copied to clipboard
verified publisher icon redpanda-data

CVEs in kminion:v2.2.8

Open rd-michel opened this issue 1 year ago • 2 comments

What scanner and version reported the CVE?

$ gke security posture latest today

What CVE was reported in the scanner findings?

Vulnerability CVE-2023-42363 for busybox/1.36.1-r5 (alpine) Vulnerability CVE-2023-42364 for busybox/1.36.1-r5 (alpine) Vulnerability CVE-2023-42365 for busybox/1.36.1-r5 (alpine) Vulnerability CVE-2023-42366 for busybox/1.36.1-r5 (alpine) Vulnerability CVE-2024-2511 for openssl/3.1.4-r5 (alpine) Vulnerability CVE-2024-4603 for openssl/3.1.4-r5 (alpine) Vulnerability CVE-2024-4741 for openssl/3.1.4-r5 (alpine) Vulnerability CVE-2024-5535 for openssl/3.1.4-r5 (alpine)

What versions of kminion did you test with?

docker.io/redpandadata/kminion:v2.2.8

rd-michel avatar Jul 03 '24 13:07 rd-michel

bump - https://github.com/advisories/GHSA-4fc7-mvrr-wv2c is classified as being critical

rd-michel avatar Aug 27 '24 09:08 rd-michel

I don't think the criticality applies to KMinion, but in the mean time you can use a newer Docker image built against master, e.g.

docker pull redpandadata/kminion:master-b8f8005

This should have a newer base image and therefore contain a fix. I pinged the maintaining time internally to cut a patch release.

cc @gavinheavyside @simon0191

weeco avatar Aug 27 '24 13:08 weeco

v2.2.10 has been built and pushed so should have pulled in the latest base image

gavinheavyside avatar Aug 30 '24 16:08 gavinheavyside

Snyk scan is clean, closing this as resolved by v2.2.10

gavinheavyside avatar Sep 01 '24 09:09 gavinheavyside