Vulnerabilities found in latest release #1742

github-actions · 2024-12-02T00:14:33Z

ghcr.io/shipwright-io/build/bundle:v0.14.0@sha256:d921fbbfd7d87bd43a5a3cecf9039c6a65306cf1ce9ee307c55ce522f7d86af2

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅

Go vulnerabilities

Vulnerability	Package	Version	Fixed by rebuild
GO-2024-3333	golang.org/x/net	v0.30.0 -> v0.33.0	✅
GO-2025-3367	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅
GO-2025-3368	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅

ghcr.io/shipwright-io/build/git:v0.14.0@sha256:81a8c0572364836b7f4728cfcb10a93326b06c9ae45bb57e56eec6e80469dd63

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-50602	expat	medium	2.5.0-2.el9_4.1 -> 2.5.0-3.el9_5.1	✅
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-10963	pam	high	1.5.1-19.el9 -> 1.5.1-22.el9_5	✅
CVE-2024-10041	pam	medium	1.5.1-19.el9 -> 1.5.1-21.el9_5	✅

Go vulnerabilities

Vulnerability	Package	Version	Fixed by rebuild
GO-2024-3321	golang.org/x/crypto	v0.28.0 -> v0.31.0	✅
GO-2024-3333	golang.org/x/net	v0.30.0 -> v0.33.0	✅
GO-2025-3367	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅
GO-2025-3368	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅

ghcr.io/shipwright-io/build/image-processing:v0.14.0@sha256:6532c8a246b3b9f433f758627230d62eb624baf58e309fbe106840209ed4c9b9

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅

Go vulnerabilities

Vulnerability	Package	Version	Fixed by rebuild
GO-2024-3333	golang.org/x/net	v0.30.0 -> v0.33.0	✅

ghcr.io/shipwright-io/build/shipwright-build-controller:v0.14.0@sha256:f38b9266889be7e81a5f66d371da39506071719217207718b56c1297589f6a4f

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅

Go vulnerabilities

Vulnerability	Package	Version	Fixed by rebuild
GO-2024-3321	golang.org/x/crypto	v0.28.0 -> v0.31.0	✅
GO-2024-3333	golang.org/x/net	v0.30.0 -> v0.33.0	✅
GO-2025-3367	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅
GO-2025-3368	github.com/go-git/go-git/v5	v5.12.0 -> v5.13.0	✅

ghcr.io/shipwright-io/build/shipwright-build-webhook:v0.14.0@sha256:aa7bd77d7884efb03bbbecbc249f92fcbcf85c1150ce11cae4eb751457a3cbb6

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅

Go vulnerabilities

Vulnerability	Package	Version	Fixed by rebuild
GO-2024-3333	golang.org/x/net	v0.30.0 -> v0.33.0	✅

ghcr.io/shipwright-io/build/waiter:v0.14.0@sha256:4e9c45f8ebd723a07ceef9c6bc3b8727a0fd8149de7bee60d6ebae634bfedec9

OS vulnerabilities

Vulnerability	Package	Severity	Version	Fixed by rebuild
CVE-2024-3596	krb5-libs	high	1.21.1-2.el9_4 -> 1.21.1-4.el9_5	✅
CVE-2024-26462	krb5-libs	medium	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26458	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-26461	krb5-libs	low	1.21.1-2.el9_4 -> 1.21.1-3.el9	✅
CVE-2024-2236	libgcrypt	medium	1.10.0-10.el9_2 -> 1.10.0-11.el9	✅
CVE-2024-2511	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4603	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-4741	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅
CVE-2024-5535	openssl-libs	low	1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5	✅

Go vulnerabilities

No vulnerabilities found.

adambkaplan · 2024-12-17T19:05:06Z

Most of these are RHEL packages in the base image. We also have a golang dependency (golang.org/x/crypto) with a "high" serverity grade CVE (backport PR #1755). I think it is worth issuing a v0.14.1 release once the golang patch merges.

github-actions · 2025-01-09T04:07:14Z

Triggered a release build in branch release-v0.14 for v0.14.0. Please check whether this succeeded. A maintainer must release this.

github-actions · 2025-01-10T08:05:28Z

No vulnerabilities found in the latest release v0.14.1

github-actions bot added the release-vulnerabilities Issues for vulnerabilities in the latest release. label Dec 2, 2024

SaschaSchwarze0 mentioned this issue Dec 18, 2024

[release-v0.14] Update golang.org/x/crypto to v0.31.0 #1755

Merged

4 tasks

github-actions bot assigned adambkaplan, qu1queee, SaschaSchwarze0, HeavyWombat and apoorvajagtap Jan 8, 2025

SaschaSchwarze0 mentioned this issue Jan 8, 2025

Fix action on release vulnerabilities #1767

Merged

4 tasks

SaschaSchwarze0 mentioned this issue Jan 9, 2025

Corrections in vulnerability action triggering new release #1773

Merged

4 tasks

github-actions bot closed this as completed Jan 10, 2025

SaschaSchwarze0 mentioned this issue Jan 10, 2025

Fix gh command that closes the issue when all vulnerabilities are fixed #1774

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerabilities found in latest release #1742

Vulnerabilities found in latest release #1742

github-actions bot commented Dec 2, 2024 •

edited

Loading

adambkaplan commented Dec 17, 2024

github-actions bot commented Jan 9, 2025

github-actions bot commented Jan 10, 2025

Vulnerabilities found in latest release #1742

Vulnerabilities found in latest release #1742

Comments

github-actions bot commented Dec 2, 2024 • edited Loading

ghcr.io/shipwright-io/build/bundle:v0.14.0@sha256:d921fbbfd7d87bd43a5a3cecf9039c6a65306cf1ce9ee307c55ce522f7d86af2

OS vulnerabilities

Go vulnerabilities

ghcr.io/shipwright-io/build/git:v0.14.0@sha256:81a8c0572364836b7f4728cfcb10a93326b06c9ae45bb57e56eec6e80469dd63

OS vulnerabilities

Go vulnerabilities

ghcr.io/shipwright-io/build/image-processing:v0.14.0@sha256:6532c8a246b3b9f433f758627230d62eb624baf58e309fbe106840209ed4c9b9

OS vulnerabilities

Go vulnerabilities

ghcr.io/shipwright-io/build/shipwright-build-controller:v0.14.0@sha256:f38b9266889be7e81a5f66d371da39506071719217207718b56c1297589f6a4f

OS vulnerabilities

Go vulnerabilities

ghcr.io/shipwright-io/build/shipwright-build-webhook:v0.14.0@sha256:aa7bd77d7884efb03bbbecbc249f92fcbcf85c1150ce11cae4eb751457a3cbb6

OS vulnerabilities

Go vulnerabilities

ghcr.io/shipwright-io/build/waiter:v0.14.0@sha256:4e9c45f8ebd723a07ceef9c6bc3b8727a0fd8149de7bee60d6ebae634bfedec9

OS vulnerabilities

Go vulnerabilities

adambkaplan commented Dec 17, 2024

github-actions bot commented Jan 9, 2025

github-actions bot commented Jan 10, 2025

github-actions bot commented Dec 2, 2024 •

edited

Loading