Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubernetes module version 11.0.0 has CVE #1251

Open
5 tasks
goern opened this issue Apr 7, 2022 · 2 comments · Fixed by #1254
Open
5 tasks

kubernetes module version 11.0.0 has CVE #1251

goern opened this issue Apr 7, 2022 · 2 comments · Fixed by #1254
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/devsecops Categorizes an issue or PR as relevant to SIG DevSecOps. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@goern
Copy link
Member

goern commented Apr 7, 2022
edited by harshad16
Loading

Is your feature request related to a problem? Please describe.
https://github.com/thoth-station/common/blob/master/requirements.txt#L10 declares a dependency on kubernetes, current versions v11.0.0 is affected by https://access.redhat.com/security/cve/cve-2020-1747

This results in all our container images having a critical security issue, for example: https://quay.io/repository/thoth-station/integration-tests/manifest/sha256:7d4195a824800c12b63b011e29f2f1ffc7e623a3753373cd5c2c5c775b3ac7df?tab=vulnerabilities

Describe the solution you'd like
update kubernetes dependency to new version, release new patch version of thoth-common

Describe alternatives you've considered
n/a

Additional context

Update to v12.0.0 can be done,
due to the issue #1273
wait for a better release and testing.

Acceptance criteria

  • kubernetes package is up to date in the common repo
  • verify the kube config is loading

    common/thoth/common/openshift.py

    Line 103 in a9a2365

    try:
  • dependent images are updated
  • dependent packages work. Ex: user-api, management-api
  • quay not showing critical cve on current versions of thoth-station images
@goern goern added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 7, 2022
@sesheta sesheta added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/devsecops Categorizes an issue or PR as relevant to SIG DevSecOps. labels Apr 7, 2022
@goern goern mentioned this issue Apr 7, 2022
Closed
@Gregory-Pereira Gregory-Pereira mentioned this issue Apr 11, 2022
Merged
2 tasks
@harshad16 harshad16 mentioned this issue Aug 15, 2022
Closed
@harshad16 harshad16 changed the title upgrade minimum version of kubernetes module to 12.0.0a1 kubernetes module version 11.0.0 has CVE Aug 16, 2022
@harshad16 harshad16 reopened this Aug 16, 2022
@harshad16
Copy link
Member

harshad16 commented Aug 16, 2022
edited
Loading

Changing the priority as upgrading to v12.0.0 kubernetes would cause failure in user-api.
/priority important-soon
/lifecycle frozen
/triage accepted

Any upgrade of kubernetes and openshift version, should be tested in user-api as well.

@sesheta sesheta added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Aug 16, 2022
@harshad16 harshad16 removed the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Aug 16, 2022
@codificat
Copy link
Member

I think this is more:
/remove-kind feature
/kind bug

@sesheta sesheta added kind/bug Categorizes issue or PR as related to a bug. and removed kind/feature Categorizes issue or PR as related to a new feature. labels Oct 7, 2022
@codificat codificat moved this to 🆕 New in Planning Board Oct 7, 2022
@codificat codificat added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Nov 21, 2022
@codificat codificat moved this from 🆕 New to 📋 Backlog in Planning Board Nov 21, 2022
@codificat codificat moved this from 📋 Backlog to 🔖 Next in Planning Board Nov 21, 2022
@mayaCostantini mayaCostantini removed their assignment Dec 1, 2022
@harshad16 harshad16 removed their assignment Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/devsecops Categorizes an issue or PR as relevant to SIG DevSecOps. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Planning Board
Status: 🔖 Next
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bump kubernetes version for common image Gregory-Pereira/thoth-station-common
7 participants
@goern @codificat @fridex @harshad16 @Gregory-Pereira @sesheta @mayaCostantini