Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8558 for k8s.io/kubernetes v1.14.6 #742

Closed
michaeljobrien opened this issue Feb 17, 2023 · 10 comments
Closed

CVE-2020-8558 for k8s.io/kubernetes v1.14.6 #742

michaeljobrien opened this issue Feb 17, 2023 · 10 comments

Comments

@michaeljobrien
Copy link

Our security scanner is identifying CVE-2020-8558 for node-problem-detector due to k8s.io/kubernetes version 1.14.6.

Are their plans to update this module or node-problem-detector somehow confirmed as not vulnerable?
@jmhbnz
Copy link
Member

jmhbnz commented Feb 20, 2023

This would be resolved by #706 once merged.

@Dentrax
Copy link

Dentrax commented Feb 23, 2023
edited
Loading

It'd be great if someone helped me on that PR. I got lost and don't know why tests are failing. Since almost months passed from submitting, now I have to update all the deps again to match with upstream k8s repo. Feel free to ping me. Or, we can submit a particular PR to remediate this specific vulnerability.

@pluzun
Copy link

pluzun commented Feb 28, 2023

I agree about the need to bump dependencies.

@yaron-idan
Copy link

Hey @Dentrax , I would like to create a PR that would remediate the kubernetes vulnerability mentioned in this issue. Would you be willing to explain how this patch can be separated from the rest of the code in #706 (if that's even possible)?

Thanks.

@Dentrax
Copy link

Dentrax commented May 18, 2023

Hey @Dentrax , I would like to create a PR that would remediate the kubernetes vulnerability mentioned in this issue. Would you be willing to explain how this patch can be separated from the rest of the code in #706 (if that's even possible)?

Thanks.

Hey! Thanks for the interest. At PR #706, I couldn't able to make CI pass after lots of work. And I decided to abandon it.

So let me ping the maintainer, maybe @vteratipally got a thought on this.

@yaron-idan
Copy link

Hey @Dentrax, I've created a branch which cherry picks the changes you made in order to tackle the CVE mentioned in the issue. Thank you for the work you've done in #706, it was crucial for allowing me to create this change.
Since most of the changes introduced here were originally written by you, I wanted to touch base before submitting a PR, in case you'd like to do so yourself.

@yaron-idan yaron-idan mentioned this issue Jun 1, 2023
Closed
@yaron-idan
Copy link

I've created PR #761 to address the CVE this issue discusses. Please take a look.

@yaron-idan yaron-idan mentioned this issue Jun 1, 2023
Merged
@Dentrax
Copy link

Dentrax commented Jul 16, 2023

I made a CVE-free version of node-problem-detector! Check this out: https://github.com/chainguard-images/images/tree/main/images/node-problem-detector

cgr.dev/chainguard/node-problem-detector:latest

@Dentrax Dentrax mentioned this issue Feb 23, 2023
Closed
9 tasks
@hakman
Copy link
Member

hakman commented Sep 15, 2023

This should be fixed by #806.
/close

@k8s-ci-robot
Copy link
Contributor

@hakman: Closing this issue.

In response to this:

This should be fixed by #806.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@hakman @pluzun @yaron-idan @Dentrax @k8s-ci-robot @jmhbnz @michaeljobrien