kubeflow-pipelines: pending upstream fix CVE-2020-8559 CVE-2023-3955 C…

…VE-2024-3177 (#5200) * kubeflow-pipelines: pending upstream fix CVE-2020-8559 Signed-off-by: James Rawlings <[email protected]> * kubeflow-pipelines: pending upstream fix CVE-2023-3955 CVE-2024-3177 Signed-off-by: James Rawlings <[email protected]> --------- Signed-off-by: James Rawlings <[email protected]>
wolfi-dev · Jun 6, 2024 · 999d30e · 999d30e
1 parent ecbec0a
commit 999d30e
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/kubeflow-pipelines.advisories.yaml b/kubeflow-pipelines.advisories.yaml
@@ -150,6 +150,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/apiserver
             scanner: grype
+      - timestamp: 2024-06-06T12:43:18Z
+        type: pending-upstream-fix
+        data:
+          note: The project uses an older version of 'k8s.io/kubernetes (v1.11.1)' package. To fix the CVE, we have to upgrade that to '1.24.17' or later. However, the project is not ready to upgrade the package yet since it will require a lot of changes in the codebase.
 
   - id: CGA-65j6-vpjf-wmcw
     aliases:
@@ -336,6 +340,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/apiserver
             scanner: grype
+      - timestamp: 2024-06-06T12:42:14Z
+        type: pending-upstream-fix
+        data:
+          note: The project uses an older version of 'k8s.io/kubernetes (v1.11.1)' package. To fix the CVE, we have to upgrade that to '1.24.17' or later. However, the project is not ready to upgrade the package yet since it will require a lot of changes in the codebase.
 
   - id: CGA-hvww-vpr8-9vp5
     aliases:
@@ -369,6 +377,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/apiserver
             scanner: grype
+      - timestamp: 2024-06-06T12:40:27Z
+        type: pending-upstream-fix
+        data:
+          note: The project uses an older version of 'k8s.io/kubernetes (v1.11.1)' package. To fix the CVE, we have to upgrade that to '1.24.17' or later. However, the project is not ready to upgrade the package yet since it will require a lot of changes in the codebase.
 
   - id: CGA-jmp8-cwq9-qp36
     aliases: