[TASK] Fix CVE issues for v1.8.0 #9895

c3y1huang · 2024-12-04T02:36:29Z

What's the task? Please describe

Identify and resolve CVE issues of Longhorn components:

https://github.com/longhorn/longhorn/blob/master/deploy/longhorn-images.txt

Describe the sub-tasks

Identify CVE issues in Longhorn components for v1.8.0.
Resolve the identified CVE issues.
Perform CVE scans and possible fixes for each stage: Pre-RCs, RC1, RC2, etc.

Additional context

#9684

c3y1huang · 2024-12-04T02:41:48Z

I would like to keep this issue open until v1.8.0 is released to consolidate all CVE-related fixes. This way, we can avoid creating additional CVE-related issues if new ones are identified later.

cc @derekbit

c3y1huang · 2024-12-04T05:57:47Z

Analyse master-head (pre-RCs)

Longhorn Components

longhornio/backing-image-manager:master-head

longhornio/backing-image-manager:master-head (suse linux enterprise server 15.6)
================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-engine:master-head

longhornio/longhorn-engine:master-head (suse linux enterprise server 15.6)
==========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-instance-manager:master-head

longhornio/longhorn-instance-manager:master-head (suse linux enterprise server 15.6)
====================================================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌───────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬──────────────────────┬───────────────────────────────┐
│      Library      │    Vulnerability    │ Severity │ Status │  Installed Version  │    Fixed Version     │             Title             │
├───────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼──────────────────────┼───────────────────────────────┤
│ libpython3_11-1_0 │ SUSE-SU-2024:3427-1 │ HIGH     │ fixed  │ 3.11.10-lp156.167.1 │ 3.11.10-150600.3.6.1 │ Security update for python311 │
├───────────────────┤                     │          │        │                     │                      │                               │
│ python311-base    │                     │          │        │                     │                      │                               │
└───────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴──────────────────────┴───────────────────────────────┘

/usr/local/lib64/python3.11/site-packages/ninja-1.11.1.2.dist-info/RECORD (secrets)
===================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: HuggingFace (hugging-face-access-token)
════════════════════════════════════════
Hugging Face Access Token
────────────────────────────────────────
 /usr/local/lib64/python3.11/site-packages/ninja-1.11.1.2.dist-info/RECORD:9 (added by 'COPY /usr/local/lib64 /usr/local/lib64 #')
────────────────────────────────────────
   7   ninja-1.11.1.2.dist-info/licenses/AUTHORS.rst,sha256=bGE1t_Lhm2ir8S7n_jbLDohP84fpJ5sNCuxvDVsKNQg,142
   8   ninja-1.11.1.2.dist-info/licenses/LICENSE_Apache_20,sha256=c7p036pSC0mkAbXSFFmoUjoUbzt1GKgz7qXvqFEwv
   9 [ ninja/__init__.py,sha256=*******************************************,1533
  10   ninja/__main__.py,sha256=6iPLwHHAc2TMbojFVcUzERrzN0RvIsywuZc4KpJCg_4,100
────────────────────────────────────────

longhornio/longhorn-manager:master-head

longhornio/longhorn-manager:master-head (suse linux enterprise server 15.6)
===========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-share-manager:master-head

longhornio/longhorn-share-manager:master-head (suse linux enterprise server 15.6)
=================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-ui:master-head

longhornio/longhorn-ui:master-head (suse linux enterprise server 15.6)
======================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/support-bundle-kit:v0.0.45

longhornio/support-bundle-kit:v0.0.45 (suse linux enterprise server 15.6)
=========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-04T05:04:46Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

usr/bin/yq (gobinary)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

External Components

longhornio/csi-attacher:v4.7.0

longhornio/csi-attacher:v4.7.0 (debian 12.6)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-04T05:05:50Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

csi-attacher (gobinary)
=======================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-provisioner:v5.1.0

longhornio/csi-provisioner:v5.1.0 (debian 12.6)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-provisioner (gobinary)
==========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-resizer:v1.12.0

longhornio/csi-resizer:v1.12.0 (debian 12.6)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-resizer (gobinary)
======================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-snapshotter:v8.1.0

longhornio/csi-snapshotter:v8.1.0 (debian 12.6)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-04T05:07:45Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

csi-snapshotter (gobinary)
==========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-node-driver-registrar:v2.12.0

longhornio/csi-node-driver-registrar:v2.12.0 (debian 12.6)
==========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-node-driver-registrar (gobinary)
====================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/livenessprobe:v2.14.0

longhornio/livenessprobe:v2.14.0 (debian 12.6)
==============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


livenessprobe (gobinary)
========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Action Plan

Fix

longhornio/support-bundle-kit: Release and update to v0.0.47.

Won't Fix

longhornio/backing-image-manager: No issue detected.
longhornio/longhorn-engine: No issue detected.
longhornio/longhorn-instance-manager: Won't manually address the system package CVE issues, as we are relying on the base OS image to resolve them. We can revisit it later.
longhornio/longhorn-manager: No issue detected.
longhornio/longhorn-share-manager: No issue detected.
longhornio/longhorn-ui: No issue detected.
longhornio/csi-attacher: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.
longhornio/csi-provisioner: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.
longhornio/csi-resizer: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.
longhornio/csi-snapshotter: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.
longhornio/csi-node-driver-registrar: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.
longhornio/livenessprobe: Currently at the latest released minor version so won't address this for now. We can revisit the decision and consider implementing the fix with our own build as we approach the RCs.

longhorn-io-github-bot · 2024-12-04T06:13:03Z

c3y1huang · 2024-12-20T05:30:20Z

Analyse v1.8.x-head (RC1)

Longhorn Components

longhornio/backing-image-manager:v1.8.x-head

longhornio/backing-image-manager:v1.8.x-head (suse linux enterprise server 15.6)
================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-engine:v1.8.x-head

longhornio/longhorn-engine:v1.8.x-head (suse linux enterprise server 15.6)
==========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ Non-linear parsing of case-insensitive content in │
│                  │                │          │        │                   │               │ golang.org/x/net/html                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/longhorn-instance-manager:v1.8.x-head

longhornio/longhorn-instance-manager:v1.8.x-head (suse linux enterprise server 15.6)
====================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ Non-linear parsing of case-insensitive content in │
│                  │                │          │        │                   │               │ golang.org/x/net/html                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/longhorn-manager:v1.8.x-head

longhornio/longhorn-manager:v1.8.x-head (suse linux enterprise server 15.6)
===========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-share-manager:v1.8.x-head

longhornio/longhorn-share-manager:v1.8.x-head (suse linux enterprise server 15.6)
=================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-ui:v1.8.x-head

longhornio/longhorn-ui:v1.8.x-head (suse linux enterprise server 15.6)
======================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/support-bundle-kit:v0.0.47

onghornio/support-bundle-kit:v0.0.47 (suse linux enterprise server 15.6)
=========================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬─────────────────────┬───────────────────────────┐
│    Library    │    Vulnerability    │ Severity │ Status │  Installed Version  │    Fixed Version    │           Title           │
├───────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼─────────────────────┼───────────────────────────┤
│ libglib-2_0-0 │ SUSE-SU-2024:4254-1 │ HIGH     │ fixed  │ 2.78.6-150600.4.3.1 │ 2.78.6-150600.4.8.1 │ Security update for glib2 │
└───────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴─────────────────────┴───────────────────────────┘

usr/bin/yq (gobinary)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.31.0           │ 0.33.0        │ Non-linear parsing of case-insensitive content in │
│                  │                │          │        │                   │               │ golang.org/x/net/html                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

External Components

longhornio/csi-attacher:v4.7.0

longhornio/csi-attacher:v4.7.0 (debian 12.6)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-20T05:13:29Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

csi-attacher (gobinary)
=======================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0         │ Non-linear parsing of case-insensitive content in         │
│                  │                │          │        │                   │                │ golang.org/x/net/html                                     │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-45338                │
├──────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │          │        │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-provisioner:v5.1.0

longhornio/csi-provisioner:v5.1.0 (debian 12.6)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-provisioner (gobinary)
==========================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0         │ Non-linear parsing of case-insensitive content in         │
│                  │                │          │        │                   │                │ golang.org/x/net/html                                     │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-45338                │
├──────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │          │        │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-resizer:v1.12.0

longhornio/csi-resizer:v1.12.0 (debian 12.6)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-20T05:14:58Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

csi-resizer (gobinary)
======================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0         │ Non-linear parsing of case-insensitive content in         │
│                  │                │          │        │                   │                │ golang.org/x/net/html                                     │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-45338                │
├──────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │          │        │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/csi-snapshotter:v8.2.0

longhornio/csi-snapshotter:v8.2.0 (debian 12.8)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-snapshotter (gobinary)
==========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.31.0           │ 0.33.0        │ Non-linear parsing of case-insensitive content in │
│                  │                │          │        │                   │               │ golang.org/x/net/html                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/csi-node-driver-registrar:v2.12.0

longhornio/csi-node-driver-registrar:v2.12.0 (debian 12.6)
==========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-node-driver-registrar (gobinary)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0         │ Non-linear parsing of case-insensitive content in         │
│                  │                │          │        │                   │                │ golang.org/x/net/html                                     │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-45338                │
├──────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │          │        │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

longhornio/livenessprobe:v2.14.0

longhornio/livenessprobe:v2.14.0 (debian 12.6)
==============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


livenessprobe (gobinary)
========================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0         │ Non-linear parsing of case-insensitive content in         │
│                  │                │          │        │                   │                │ golang.org/x/net/html                                     │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-45338                │
├──────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │          │        │ v1.22.5           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Action Plan

Fix

longhornio/support-bundle-kit: Update to v0.0.48.
longhornio/csi-attacher: Update to v4.7.0-20241219.
longhornio/csi-provisioner: Release patched version (v5.1.0-20241220).
longhornio/csi-resizer: Update to v1.12.0-20241219.
longhornio/csi-node-driver-registrar: Update to v2.12.0-20241219.
longhornio/livenessprobe: Update to v2.14.0-20241219.

Won't Fix

longhornio/backing-image-manager: No issue detected.
longhornio/longhorn-engine:
- grpc_health_probe: It's not CRITICAL, and it hasn't been fixed upstream yet.
longhornio/longhorn-instance-manager:
- grpc_health_probe: It's not CRITICAL, and it hasn't been fixed upstream yet.
longhornio/longhorn-manager: No issue detected.
longhornio/longhorn-share-manager: No issue detected.
longhornio/longhorn-ui: No issue detected.
longhornio/csi-snapshotter:
- golang.org/x/net: It's not CRITICAL, and it's an indirect dependency.

c3y1huang · 2024-12-20T07:29:13Z

New versions of external components were released earlier today:

csi-attacher: v4.8.0
csi-node-driver-registrar: v2.13.0
livenessprobe: v2.15.0

Container
to be published soon

I will update the versions again once the images are available.

cc @derekbit, @innobead

c3y1huang · 2024-12-31T00:35:32Z

Analyse v1.8.x-head (RC2)

Longhorn Components

longhornio/backing-image-manager:v1.8.x-head

longhornio/backing-image-manager:v1.8.x-head (suse linux enterprise server 15.6)
================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-engine:v1.8.x-head

longhornio/longhorn-engine:v1.8.x-head (suse linux enterprise server 15.6)
==========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/longhorn-instance-manager:v1.8.x-head

longhornio/longhorn-instance-manager:v1.8.x-head (suse linux enterprise server 15.6)
====================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/longhorn-manager:v1.8.x-head

longhornio/longhorn-manager:v1.8.x-head (suse linux enterprise server 15.6)
===========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-share-manager:v1.8.x-head

longhornio/longhorn-share-manager:v1.8.x-head (suse linux enterprise server 15.6)
=================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-ui:v1.8.x-head

longhornio/longhorn-ui:v1.8.x-head (suse linux enterprise server 15.6)
======================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

longhornio/longhorn-cli:v1.8.x-head

longhornio/longhorn-cli:v1.8.x-head (suse linux enterprise server 15.6)
=======================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/longhornctl (gobinary)
====================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

usr/local/bin/longhornctl-local (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/support-bundle-kit:v0.0.48

longhornio/support-bundle-kit:v0.0.48 (suse linux enterprise server 15.6)
=========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/bin/yq (gobinary)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.32.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

External Components

longhornio/csi-attacher:v4.7.0-20241219

longhornio/csi-attacher:v4.7.0-20241219 (debian 12.8)
=====================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-attacher (gobinary)
=======================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/csi-provisioner:v5.1.0-20241220

longhornio/csi-provisioner:v5.1.0-20241220 (debian 12.8)
========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-provisioner (gobinary)
==========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/csi-resizer:v1.12.0-20241219

longhornio/csi-resizer:v1.12.0-20241219 (debian 12.8)
=====================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-resizer (gobinary)
======================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/csi-snapshotter:v8.2.0

longhornio/csi-snapshotter:v8.2.0 (debian 12.8)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-snapshotter (gobinary)
==========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.31.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/csi-node-driver-registrar:v2.12.0-20241219

longhornio/csi-node-driver-registrar:v2.12.0-20241219 (debian 12.8)
===================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-node-driver-registrar (gobinary)
====================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

longhornio/livenessprobe:v2.14.0-20241219

longhornio/livenessprobe:v2.14.0-20241219 (debian 12.8)
=======================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


livenessprobe (gobinary)
========================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.28.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Action Plan

Fix

None

Won't Fix

longhornio/backing-image-manager:
- No issue detected.
longhornio/longhorn-engine:
- It's not CRITICAL, and it hasn't been fixed upstream yet.
longhornio/longhorn-instance-manager:
- It's not CRITICAL, and it hasn't been fixed upstream yet.
longhornio/longhorn-manager:
- No issue detected.
longhornio/longhorn-share-manager:
- No issue detected.
longhornio/longhorn-ui:
- No issue detected.
longhornio/longhorn-cli:
- It's not CRITICAL, and it's an indirect dependency.
longhornio/support-bundle-kit:
- yq: not fixed in upstream yet.
longhornio/csi-attacher:
- It's not CRITICAL, and it's an indirect dependency.
- v4.8.0: container image not released yet.
longhornio/csi-provisioner:
- It's not CRITICAL, and it's an indirect dependency.
longhornio/csi-resizer:
- It's not CRITICAL, and it's an indirect dependency.
longhornio/csi-snapshotter:
- It's not CRITICAL, and it's an indirect dependency.
longhornio/csi-node-driver-registrar:
- It's not CRITICAL, and it's an indirect dependency.
- v2.13.0: container image not released yet.
longhornio/livenessprobe:
- It's not CRITICAL, and it's an indirect dependency.
- v2.15.0: container image not released yet.

innobead · 2024-12-31T04:43:04Z

longhornio/csi-node-driver-registrar:
It's not CRITICAL, and it's an indirect dependency.
v2.13.0: container image not released yet.
longhornio/livenessprobe:
It's not CRITICAL, and it's an indirect dependency.
v2.15.0: container image not released yet.

Don't those versions have been released?

c3y1huang · 2024-12-31T05:34:18Z

longhornio/csi-node-driver-registrar:
It's not CRITICAL, and it's an indirect dependency.
v2.13.0: container image not released yet.
longhornio/livenessprobe:
It's not CRITICAL, and it's an indirect dependency.
v2.15.0: container image not released yet.

Don't those versions have been released?

No, the upstream container images are not out yet.

docker pull registry.k8s.io/sig-storage/node-driver-registrar:v2.13.0
Error response from daemon: manifest for registry.k8s.io/sig-storage/node-driver-registrar:v2.13.0 not found: manifest unknown: Failed to fetch "v2.13.0"

innobead · 2024-12-31T06:44:46Z

ah thanks, @c3y1huang . It's weird to see the release is tagged and announced but the image is not ready yet.

c3y1huang added area/install-uninstall-upgrade Install, Uninstall or Upgrade related kind/task General task request to fulfill another primary request area/security System or volume data access security labels Dec 4, 2024

c3y1huang added this to the v1.8.0 milestone Dec 4, 2024

c3y1huang self-assigned this Dec 4, 2024

github-project-automation bot added this to Longhorn Sprint Dec 4, 2024

github-project-automation bot moved this to New Issues in Longhorn Sprint Dec 4, 2024

c3y1huang moved this from New Issues to Analysis and Design in Longhorn Sprint Dec 4, 2024

c3y1huang moved this from Analysis and Design to Implement in Longhorn Sprint Dec 4, 2024

c3y1huang mentioned this issue Dec 4, 2024

chore: update support-bundle to v0.0.47 #9899

Merged

c3y1huang moved this from Implement to Review in Longhorn Sprint Dec 4, 2024

This was referenced Dec 4, 2024

chore: update support-bundle to v0.0.47 (backport #9899) #9900

Merged

chore: update support-bundle to v0.0.47 (backport #9899) #9901

Merged

c3y1huang moved this from Review to Icebox in Longhorn Sprint Dec 4, 2024

c3y1huang moved this from Icebox to Analysis and Design in Longhorn Sprint Dec 20, 2024

This was referenced Dec 20, 2024

chore(cve): update go version to v1.22.7 longhorn/csi-provisioner#3

Merged

chore(cve): update image versions #10027

Merged

mergify bot mentioned this issue Dec 20, 2024

chore(cve): update image versions (backport #10027) #10028

Merged

c3y1huang moved this from Analysis and Design to Implement in Longhorn Sprint Dec 20, 2024

c3y1huang moved this from Implement to Icebox in Longhorn Sprint Dec 20, 2024

roger-ryao mentioned this issue Dec 25, 2024

[RELEASE] Release 1.8.0 #10010

Open

25 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[TASK] Fix CVE issues for v1.8.0 #9895

[TASK] Fix CVE issues for v1.8.0 #9895

c3y1huang commented Dec 4, 2024 •

edited

Loading

c3y1huang commented Dec 4, 2024

c3y1huang commented Dec 4, 2024 •

edited

Loading

longhorn-io-github-bot commented Dec 4, 2024 •

edited by c3y1huang

Loading

c3y1huang commented Dec 20, 2024 •

edited

Loading

c3y1huang commented Dec 20, 2024 •

edited

Loading

c3y1huang commented Dec 31, 2024

innobead commented Dec 31, 2024

c3y1huang commented Dec 31, 2024 •

edited

Loading

innobead commented Dec 31, 2024

[TASK] Fix CVE issues for v1.8.0 #9895

[TASK] Fix CVE issues for v1.8.0 #9895

Comments

c3y1huang commented Dec 4, 2024 • edited Loading

What's the task? Please describe

Describe the sub-tasks

Additional context

c3y1huang commented Dec 4, 2024

c3y1huang commented Dec 4, 2024 • edited Loading

Analyse master-head (pre-RCs)

Longhorn Components

longhornio/backing-image-manager:master-head

longhornio/longhorn-engine:master-head

longhornio/longhorn-instance-manager:master-head

longhornio/longhorn-manager:master-head

longhornio/longhorn-share-manager:master-head

longhornio/longhorn-ui:master-head

longhornio/support-bundle-kit:v0.0.45

External Components

longhornio/csi-attacher:v4.7.0

longhornio/csi-provisioner:v5.1.0

longhornio/csi-resizer:v1.12.0

longhornio/csi-snapshotter:v8.1.0

longhornio/csi-node-driver-registrar:v2.12.0

longhornio/livenessprobe:v2.14.0

Action Plan

Fix

Won't Fix

longhorn-io-github-bot commented Dec 4, 2024 • edited by c3y1huang Loading

Pre Ready-For-Testing Checklist

c3y1huang commented Dec 20, 2024 • edited Loading

Analyse v1.8.x-head (RC1)

Longhorn Components

longhornio/backing-image-manager:v1.8.x-head

longhornio/longhorn-engine:v1.8.x-head

longhornio/longhorn-instance-manager:v1.8.x-head

longhornio/longhorn-manager:v1.8.x-head

longhornio/longhorn-share-manager:v1.8.x-head

longhornio/longhorn-ui:v1.8.x-head

longhornio/support-bundle-kit:v0.0.47

External Components

longhornio/csi-attacher:v4.7.0

longhornio/csi-provisioner:v5.1.0

longhornio/csi-resizer:v1.12.0

longhornio/csi-snapshotter:v8.2.0

longhornio/csi-node-driver-registrar:v2.12.0

longhornio/livenessprobe:v2.14.0

Action Plan

Fix

Won't Fix

c3y1huang commented Dec 20, 2024 • edited Loading

c3y1huang commented Dec 31, 2024

Analyse v1.8.x-head (RC2)

Longhorn Components

longhornio/backing-image-manager:v1.8.x-head

longhornio/longhorn-engine:v1.8.x-head

longhornio/longhorn-instance-manager:v1.8.x-head

longhornio/longhorn-manager:v1.8.x-head

longhornio/longhorn-share-manager:v1.8.x-head

longhornio/longhorn-ui:v1.8.x-head

longhornio/longhorn-cli:v1.8.x-head

longhornio/support-bundle-kit:v0.0.48

External Components

longhornio/csi-attacher:v4.7.0-20241219

longhornio/csi-provisioner:v5.1.0-20241220

longhornio/csi-resizer:v1.12.0-20241219

longhornio/csi-snapshotter:v8.2.0

longhornio/csi-node-driver-registrar:v2.12.0-20241219

longhornio/livenessprobe:v2.14.0-20241219

Action Plan

Fix

Won't Fix

innobead commented Dec 31, 2024

c3y1huang commented Dec 31, 2024 • edited Loading

innobead commented Dec 31, 2024

c3y1huang commented Dec 4, 2024 •

edited

Loading

c3y1huang commented Dec 4, 2024 •

edited

Loading

longhorn-io-github-bot commented Dec 4, 2024 •

edited by c3y1huang

Loading

c3y1huang commented Dec 20, 2024 •

edited

Loading

c3y1huang commented Dec 20, 2024 •

edited

Loading

c3y1huang commented Dec 31, 2024 •

edited

Loading