Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability for fluentd:v1.16.0-1.0 #359

Closed
im-bravo opened this issue Jul 28, 2023 · 8 comments
Closed

Vulnerability for fluentd:v1.16.0-1.0 #359

im-bravo opened this issue Jul 28, 2023 · 8 comments

Comments

@im-bravo
Copy link

Hello
Many thanks for the fluentd and fluentd docker image.

We found 2 CVE in latest docker image 1.16.0 .

https://nvd.nist.gov/vuln/detail/CVE-2023-2975
https://nvd.nist.gov/vuln/detail/CVE-2023-36617

It's looks like related to libcrypto3 and libssl3 package.
Base on my scan tool, upgrade from 3.0.9-r1 to 3.0.9-r2 can fix this issue.
@tunguyen9889
Copy link

I created a PR #362 to update to alpine:3.18, which should contain the fixes for:
https://nvd.nist.gov/vuln/detail/CVE-2023-2975
https://nvd.nist.gov/vuln/detail/CVE-2023-3446

@tunguyen9889
Copy link

tunguyen9889 commented Sep 14, 2023
edited
Loading

For the https://nvd.nist.gov/vuln/detail/CVE-2023-36617, we need to upgrade uri to 0.12.2 (reference: https://scout.docker.com/vulnerabilities/id/CVE-2023-36617), but I don't see any gem installed that package in Dockerfile, look like it comes as a dependency.

@ashie
Copy link
Member

ashie commented Sep 21, 2023

I released v1.16.2-1.1 at fluent/fluentd to suppress these CVEs.
I'll close this issue after I reflect it to https://hub.docker.com/_/fluentd

@tunguyen9889
Copy link

tunguyen9889 commented Sep 21, 2023
edited
Loading

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?
By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

@ashie
Copy link
Member

ashie commented Sep 22, 2023

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?

Of course we'll do it. Please wait for a while.

By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

Yes, not yet. Please wait for a while.

@tunguyen9889
Copy link

tunguyen9889 commented Oct 4, 2023
edited
Loading

Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

@ashie
Copy link
Member

ashie commented Oct 4, 2023

Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

It's a known issue: fluent/fluentd-kubernetes-daemonset#1455
In the short term, we'll solve it by reorganizing build settings on DockerHub.
In the middle term, we should resolve it by migrating deployment system to GitHub Actions: #318

@ashie
Copy link
Member

ashie commented Oct 6, 2023

fluentd-kubernetes-daemonset v1.16-debian-s3 has been also updated.

@ashie ashie closed this as completed Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ashie @tunguyen9889 @im-bravo