Bump docker/distribution to 2.8.2 #118036
Conversation
k8s-ci-robot
added
kind/cleanup
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-triage
|
Hi @skitt. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-priority
k/k doesn't use much code from docker/distribution so this doesn't change anything that's actually relevant, but 2.8.1 is identified as affected by CVE-2022-28391 and CVE-2023-2253; bumping to 2.8.2 avoids k/k triggering scanners on those CVEs. Signed-off-by: Stephen Kitt <skitt@redhat.com>
skitt
force-pushed
the
docker-distribution-2.8.2
branch
from
3262fd4 to
3680a52
Compare
k8s-ci-robot
added
area/dependency
k8s-ci-robot
added
release-note-none
|
/me yells at scanners
|
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
... that's not even in go code? : | ... busybox has nothing to do with any use of this library AFAIK ... sigh. And of course registry API endpoints are only used by the underlying container runtime since dockershim removal (all currently supported k8s releases). I wish we could get more responsibility from the scanners to correctly identify vulnerable status. At least this change is small. |
|
@dims maybe in the future we should require info on which scanner so we can provide feedback to the scanner owners? |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 97fffefccee0bcd9711f12cb9098fbf6bfade375
|
+100 @BenTheElder |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, dims, skitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
I seeing these CVEs in the dependabot section for our project, wondering if we can cherrypick this to the older releases as well? /cherrypick release-1.27 |
|
@BenTheElder this particular bump was flagged by Grype and dependabot. |
|
Cherrypick to older versions will be helpful. Otherwise, it will confuse the the people who end up with a report against older and supported versions of k8s. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
k/k doesn't use much code from docker/distribution so this doesn't change anything that's actually relevant, but 2.8.1 is identified as affected by CVE-2022-28391 and CVE-2023-2253; bumping to 2.8.2 avoids k/k triggering scanners on those CVEs.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: