New tagged release from master to addess vulnerabilities in v1.6.2 #614
MikeKlebolt
started this conversation in
General
Replies: 1 comment
-
|
I'll cut a new release soon (probably tomorrow), which should update all these dependencies. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Can we please get a new tagged release as v1.6.2 has several vulnerabilities that are addressed in master?
v1.6.2
trivy image quay.io/prometheus/pushgateway:v1.6.2 --security-checks vuln --ignore-unfixed
2024-01-10T09:10:00.898-0600 INFO Need to update DB
2024-01-10T09:10:00.898-0600 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-10T09:10:00.898-0600 INFO Downloading DB...
42.22 MiB / 42.22 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 9.50 MiB p/s 4.6s
2024-01-10T09:10:06.281-0600 INFO Vulnerability scanning is enabled
2024-01-10T09:10:08.447-0600 INFO Number of language-specific files: 1
2024-01-10T09:10:08.447-0600 INFO Detecting gobinary vulnerabilities...
bin/pushgateway (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)
┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM │ fixed │ v0.8.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │
│ │ │ │ │ │ │ (BPP) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │
├─────────────────────┼────────────────┼──────────┤ ├───────────────────┤ ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ │ v0.10.0 │ │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3978 │ MEDIUM │ │ │ 0.13.0 │ golang.org/x/net/html: Cross site scripting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3978 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ │ │ │ 0.17.0 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Master
trivy image quay.io/prometheus/pushgateway:master --security-checks vuln --ignore-unfixed
2024-01-10T09:23:08.576-0600 INFO Vulnerability scanning is enabled
2024-01-10T09:23:09.634-0600 INFO Number of language-specific files: 1
2024-01-10T09:23:09.634-0600 INFO Detecting gobinary vulnerabilities...
Beta Was this translation helpful? Give feedback.
All reactions