Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We are encountering the vulnerability of CVE-2023-44487 for the image gardendev/buildkit:v0.12.2. Can you please provide me with the resolution for this issue? #6506

Closed
SiddharamAlagi opened this issue Oct 4, 2024 · 6 comments · Fixed by #6522
Closed

We are encountering the vulnerability of CVE-2023-44487 for the image gardendev/buildkit:v0.12.2. Can you please provide me with the resolution for this issue? #6506

SiddharamAlagi opened this issue Oct 4, 2024 · 6 comments · Fixed by #6522
Assignees
@twelvemo
Labels
bug security

Comments

@SiddharamAlagi
Copy link

We are encountering the vulnerability of CVE-2023-44487 for the image gardendev/buildkit:v0.12.2. Can you please provide me with the resolution for this issue?
@SiddharamAlagi
Copy link
Author

we are waiting for your response

@10ko
Copy link
Member

10ko commented Oct 8, 2024

Hi @SiddharamAlagi,
we are working on updating the image since it's still present in the latest tag (v0.13.2). It will be released with the next release.
Also, just to make sure I understand the issue: are you experiencing the vulnerability or it's just being flagged by your security setup?

Thanks for reporting, we'll keep you posted.

@10ko 10ko added the security label Oct 8, 2024
@SiddharamAlagi
Copy link
Author

Is there any way to override the buildkit image tag in the configuration to avoid this vulnerability

@twelvemo twelvemo mentioned this issue Oct 8, 2024
Merged
@twelvemo
Copy link
Collaborator

twelvemo commented Oct 8, 2024

Hi @SiddharamAlagi , no that is currently not possible. I have updated the image to the latest buildkit image. Once it is merged you can use the garden edge version to already use the new image. We will also cut a new garden release today, which will make the fix generally available.

@vvagaytsev
Copy link
Collaborator

@SiddharamAlagi the fix was released in Garden 0.13.42 yesterday.

Now Garden uses moby/builtkit:0.16.0 as a base image and that one does not have the vulnerability mentioned above.
Please let us know if there are any other issues.

@SiddharamAlagi
Copy link
Author

thank you so much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twelvemo twelvemo

Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(images): update buildkit image garden-io/garden
4 participants
@10ko @vvagaytsev @twelvemo @SiddharamAlagi