spilo icon indicating copy to clipboard operation
spilo copied to clipboard

Published 20 hours ago verified publisher icon zalando

CVE fixes needed

Open FabiLo22 opened this issue 1 year ago • 13 comments

Hello,

when will be the next spilo release and will there be CVE fixes included? The current 3.0-p1 image has a lot of CVEs. Would it be possible to have a regular / monthly release with updated base image packages to reduce CVEs in the future?

Best

Fabian

FabiLo22 avatar Jun 30 '23 10:06 FabiLo22

Would it be possible to have a regular / monthly release

Yes, we should definitely work on this, unfortunately, the project has been abandoned for some months now. We are testing the current master branch state internally and if everything is fine, I hope to push the new release the next week (still without upgrading the Patroni version though)

hughcapet avatar Jul 30 '23 11:07 hughcapet

Hi

what is the actual status? It would be really great to get an updated image (even without Patroni) asap.

Best Fabian

FabiLo22 avatar Aug 29 '23 09:08 FabiLo22

@hughcapet any new info?

CLEMARCx avatar Sep 05 '23 13:09 CLEMARCx

+1 any new info?

DYukun avatar Sep 21 '23 18:09 DYukun

I have attempted to use the current master branch with the most recent postgres-operator release, but the postgres database cannot be connected to.

An issue has been created here: https://github.com/zalando/spilo/issues/923

oursland avatar Sep 22 '23 18:09 oursland

Hello @hughcapet. Commenting you here

unfortunately, the project has been abandoned for some months now

So does that mean that no one from zalando is supporting spilo image atm?

ggramal avatar Oct 10 '23 16:10 ggramal

The master branch is periodically updated and tested internally. The release cycle is unfortunately on hold now

hughcapet avatar Oct 10 '23 16:10 hughcapet

Any update here?

rgarcia89 avatar Feb 21 '24 13:02 rgarcia89

I can not add anything to this now

hughcapet avatar Feb 21 '24 14:02 hughcapet

Understood. Are we safe to ensure the self build image is working properly by running the test routine located in the tests folder?

Otherwise it would be nice to get some information about how you test that the image is working properly.

I think once that is clear it should be easy to create a pipeline which builds images from the master branch.

rgarcia89 avatar Feb 21 '24 14:02 rgarcia89

The test routine located in the tests folder indeed checks the main functionality blocks of Spilo (e.g. bootstrapping, in-place upgrades, cloning...). But then should definitely come testing of your specific deployment model (for example, internally we also test integration with the Operator). This sometimes reveals specific Spilo problems/bugs. And of course, given the amount of Spilo's external dependencies (e.g. PG extensions), many problems only appear during the actual usage by the end-users (that is why the so-called releases in the past were only made after we run the image built from the current master branch's state internally for some time). But again - knowing nothing is pinned, I can not guarantee that what we tested internally will have the same (or even similar) state to what I tag and build as a release later. IMO, the whole release model should be changed. Hopefully, it happens in the future :)

hughcapet avatar Feb 22 '24 10:02 hughcapet

Also we would be happy if there are regulary releases on this Project

teimyBr avatar Jun 10 '24 15:06 teimyBr

Just as side note: This image seems to also use an affected curl release (7.81.0). See CVE-2023-38545 and CVE-2023-38546.

steadyk avatar Jun 10 '24 15:06 steadyk