Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need fix for CVE-2023-45288 #261

Closed
andriisoldatenko opened this issue May 8, 2024 · 9 comments
Closed

Need fix for CVE-2023-45288 #261

andriisoldatenko opened this issue May 8, 2024 · 9 comments

Comments

@andriisoldatenko
Copy link

If we bump go version from go1.21.5 to go1.21.10 we can solve the issue.

GHSA-4v7x-pqxf-cx7m

Please let me know if you need help, I can try to contribute if you accept the PR.

@andriisoldatenko
Copy link
Author

@ggriffiths could you please help to understand how to bump go version? I see https://github.com/kubernetes/kubernetes/blob/master/.go-version#L1

and I see

configvar CSI_PROW_GO_VERSION_BUILD "1.21.5" "Go version for building the component" # depends on component's source code

but it's unclear how to bump it correctly.

@jsafrane
Copy link
Contributor

I think this repo will get a new go version when it gets updated to Kubernetes 1.30 libraries. I'm waiting for a new github.com/kubernetes-csi/csi-lib-utils tag and then we will update all CSI sidecars.

@andriisoldatenko
Copy link
Author

@jsafrane thanks!

@jwstein3400
Copy link

@jsafrane Hi it appears that a new tag was released last week: https://github.com/kubernetes-csi/csi-lib-utils/releases/tag/v0.18.0
Does that mean we can expect to see all the CSI sidecars uplifted and tagged for release?

@andriisoldatenko
Copy link
Author

andriisoldatenko commented May 28, 2024

Problem that new release doesn't exist in registry:

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0...
Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

cc @jsafrane

@jsafrane
Copy link
Contributor

jsafrane commented May 31, 2024

Windows image build fails because of microsoft/Windows-Containers#493 :-(
We need fixed Windows base images to get a final 2.13 build of all images.

@andriisoldatenko
Copy link
Author

@jsafrane it seems related ticket has been resolved microsoft/Windows-Containers#493,

Could you please check why I still can't pull an image?

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0...
Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

@jsafrane
Copy link
Contributor

I published livenessprobe:v2.13.1 this week, I am not able to re-build and re-publish v2.13.0 :-(

@andriisoldatenko
Copy link
Author

I think issue was resolved so I close it because image is avaialble.

thanks a lot for you help @jsafrane

TerryHowe added a commit to TerryHowe/livenessprobe that referenced this issue Dec 9, 2024
98f2307 Merge pull request kubernetes-csi#260 from TerryHowe/update-csi-driver-version
e9d8712 Merge pull request kubernetes-csi#259 from stmcginnis/deprecated-kind-kube-root
faf79ff Remove --kube-root deprecated kind argument
734c2b9 Merge pull request kubernetes-csi#265 from Rakshith-R/consider-main-branch
f95c855 Merge pull request kubernetes-csi#262 from huww98/golang-toolchain
3c8d966 Treat main branch as equivalent to master branch
e31de52 Merge pull request kubernetes-csi#261 from huww98/golang
fd153a9 Bump golang to 1.23.1
a8b3d05 pull-test.sh: fix "git subtree pull" errors
6b05f0f use new GOTOOLCHAIN env to manage go version
18b6ac6 chore: update CSI driver version to 1.15

git-subtree-dir: release-tools
git-subtree-split: 98f23071d946dd3de3188a7e1f84679067003162
TerryHowe added a commit to TerryHowe/livenessprobe that referenced this issue Dec 11, 2024
406a79ac Merge pull request kubernetes-csi#267 from huww98/gomodcache
9cec273d Set GOMODCACHE to avoid re-download toolchain
98f23071 Merge pull request kubernetes-csi#260 from TerryHowe/update-csi-driver-version
e9d8712d Merge pull request kubernetes-csi#259 from stmcginnis/deprecated-kind-kube-root
faf79ff6 Remove --kube-root deprecated kind argument
734c2b95 Merge pull request kubernetes-csi#265 from Rakshith-R/consider-main-branch
f95c855b Merge pull request kubernetes-csi#262 from huww98/golang-toolchain
3c8d966f Treat main branch as equivalent to master branch
e31de525 Merge pull request kubernetes-csi#261 from huww98/golang
fd153a9e Bump golang to 1.23.1
a8b3d050 pull-test.sh: fix "git subtree pull" errors
6b05f0fc use new GOTOOLCHAIN env to manage go version
18b6ac6d chore: update CSI driver version to 1.15

git-subtree-dir: release-tools
git-subtree-split: 406a79acf021b5564108afebeea7d0ed44648d3f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants