Comments (10)
Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs?
from csi-driver-host-path.
These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod
from csi-driver-host-path.
Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built.
from csi-driver-host-path.
Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver.
I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42.
If you're using this in production maybe you should evaluate other solutions.
from csi-driver-host-path.
@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them.
from csi-driver-host-path.
/help wanted
from csi-driver-host-path.
hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows:
libcrypto1.1 fix version 1.1.1t-r0
libssl1.1 fix version 1.1.1t-r0
The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us.
from csi-driver-host-path.
Hi @xing-yang as @ronkara mentioned the following CVEs above:
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286
They seem to be related to the openssl 3.0.7-r2 package which I am assuming comes with the alpine image. Since they are OS vulns I was thinking by pulling the latest alpine image will resolve these vulnerabilities because apk update && apk upgrade
will also pull in the new packages when we rebuilt the image.
from csi-driver-host-path.
/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997.
from csi-driver-host-path.
@ronkara wondering you will have some bandwidth to help fix this?
from csi-driver-host-path.
Related Issues (20)
- Need to locate the correct path of `csi-hostpath-plugin.yaml`
- Broken link of `contributor cheatsheet` Need to fix HOT 4
- SELinuxMountReadWriteOncePod tests are failing in CI HOT 4
- Implement support for SINGLE_NODE_SINGLE_WRITER enforcement in NodePublishVolume
- Host Path PV Encryption HOT 5
- Switch from k8s.gcr.io to registry.k8s.io HOT 5
- [enable discussion]
- [changing the pod's node == migrate the volume ?] HOT 1
- Inconsistent namespace in deployment templates HOT 3
- failed to provision volume with StorageClass "csi-hostpath-sc": error getting handle for DataSource Type PersistentVolumeClaim by Name pvc-claim-1: claim in dataSource not bound or invalid HOT 5
- Test config needs to disable new snapshot restore tests
- Sample implementation in CSI hostpath mock driver
- Remove dependencies on docker-hosted images HOT 5
- [discussion]is this line mean the directory created by hostpath csi driver with file mode 777? HOT 4
- Update the mentions of testgrid dashboard URL from k8s-testgrid.appspot.com to testgrid.k8s.io HOT 1
- Unix sock file is not removed after the server stop HOT 4
- State file not updated after stage/publish action
- 1.29 - [KEP-3751] VAC Hostpath Driver Implementation HOT 4
- Symlinks broken in /deploy HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csi-driver-host-path.