Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to latest Java base container, update Armeria and Spring deps #3472

Merged
merged 1 commit into from
Aug 23, 2022

Conversation

llinder
Copy link
Member

@llinder llinder commented Aug 19, 2022

No description provided.

@llinder
Copy link
Member Author

llinder commented Aug 19, 2022

Trivy scan before updates:

openzipkin/zipkin:2.23.18 (alpine 3.15.4)
=========================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2022-2097    | HIGH     | 1.1.1n-r0         | 1.1.1q-r0     | openssl: AES OCB fails                |
|              |                  |          |                   |               | to encrypt some bytes                 |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2097  |
+--------------+                  +          +                   +               +                                       +
| libssl1.1    |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| zlib         | CVE-2022-37434   | CRITICAL | 1.2.12-r0         | 1.2.12-r2     | zlib: a heap-based buffer             |
|              |                  |          |                   |               | over-read or buffer overflow          |
|              |                  |          |                   |               | in inflate in inflate.c...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-37434 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

Java (jar)
==========
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

+----------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|          LIBRARY           | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| io.netty:netty-codec       | CVE-2022-24823   | MEDIUM   | 4.1.70.Final      | 4.1.77.Final  | netty: world readable temporary       |
|                            |                  |          |                   |               | file containing sensitive data        |
|                            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-24823 |
+----------------------------+------------------+          +                   +---------------+---------------------------------------+
| io.netty:netty-codec-http  | CVE-2021-43797   |          |                   | 4.1.71.Final  | netty: control chars in header names  |
|                            |                  |          |                   |               | may lead to HTTP request smuggling... |
|                            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43797 |
+                            +------------------+          +                   +---------------+---------------------------------------+
|                            | CVE-2022-24823   |          |                   | 4.1.77.Final  | netty: world readable temporary       |
|                            |                  |          |                   |               | file containing sensitive data        |
|                            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-24823 |
+----------------------------+                  +          +                   +               +                                       +
| io.netty:netty-codec-http2 |                  |          |                   |               |                                       |
|                            |                  |          |                   |               |                                       |
|                            |                  |          |                   |               |                                       |
+----------------------------+                  +          +                   +               +                                       +
| io.netty:netty-handler     |                  |          |                   |               |                                       |
|                            |                  |          |                   |               |                                       |
|                            |                  |          |                   |               |                                       |
+----------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

After updates:

openzipkin/zipkin:test (alpine 3.16.2)
======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Java (jar)
==========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@llinder llinder force-pushed the update branch 3 times, most recently from ea7f592 to 88bb425 Compare August 22, 2022 17:21
@llinder llinder merged commit b181d5c into openzipkin:master Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant