Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addressing several security vulnerabilities in the version v0.16.2 #917

Open
thle40 opened this issue Aug 20, 2024 · 4 comments
Open

Addressing several security vulnerabilities in the version v0.16.2 #917

thle40 opened this issue Aug 20, 2024 · 4 comments

Comments

@thle40
Copy link

thle40 commented Aug 20, 2024

Release of version v0.16.2 run under Ubuntu 22.04.4 LT contains several vulnerabilities
Some vulnerabilities can be fixed by upgrading the version of affected packages as below.

as requirement of our security remediating process in our org, we would like to report vulnerabilities for this version (though we will follow your release process)

<style> </style>
CVE SEVERITY CVSS PACKAGE VERSION STATUS
CVE-2024-37371 medium 0.00 krb5 1.19.2-2ubuntu0.3 fixed in 1.19.2-2ubuntu0.4
CVE-2024-37370 medium 0.00 krb5 1.19.2-2ubuntu0.3 fixed in 1.19.2-2ubuntu0.4
CVE-2024-26462 medium 0.00 krb5 1.19.2-2ubuntu0.3 needed
CVE-2024-2236 medium 0.00 libgcrypt20 1.9.4-3ubuntu3 deferred
CVE-2022-4899 low 7.50 libzstd 1.4.8+dfsg-3build1 needed
CVE-2023-50495 low 6.50 ncurses 6.3-2ubuntu0.1 needed
CVE-2016-2781 low 6.50 coreutils 8.32-4.1ubuntu1.2 deferred
CVE-2023-7008 low 5.90 systemd 249.11-0ubuntu3.12 needed
CVE-2022-27943 low 5.50 gcc-12 12.3.0-1ubuntu1~22.04 needed
CVE-2023-29383 low 3.30 shadow 1:4.8.1-2ubuntu2.2 needed
CVE-2022-3219 low 3.30 gnupg2 2.2.27-3ubuntu2.1 deferred
CVE-2024-5535 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-4741 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-4603 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-26461 low 0.00 krb5 1.19.2-2ubuntu0.3 needed
CVE-2024-2511 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2023-45918 low 0.00 ncurses 6.3-2ubuntu0.1 needed
@jmweir
Copy link

jmweir commented Sep 23, 2024

Definitely need these as well. Is it possible to prioritize patching openssl?

@chipzoller
Copy link
Contributor

Those CVEs come from Red Hat's UBI 9 base image and they are present even in the latest tag (9.5) which device plugin uses indirectly. Red Hat also states in the VEX for the image they won't be fixing most of those OpenSSL CVEs (which are all low anyhow).

@jmweir
Copy link

jmweir commented Dec 19, 2024

That makes sense. I'm curious though, why not just assemble these go binaries on a scratch image? Is it essential to derive the Docker build from UBI9?

@chipzoller
Copy link
Contributor

It needs the CUDA libraries and other external dependencies to function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants