New tagged release from master to addess vulnerabilities in v1.6.2 #614
MikeKlebolt
started this conversation in
General
Replies: 1 comment
-
|
I'll cut a new release soon (probably tomorrow), which should update all these dependencies. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Can we please get a new tagged release as v1.6.2 has several vulnerabilities that are addressed in master?
v1.6.2
trivy image quay.io/prometheus/pushgateway:v1.6.2 --security-checks vuln --ignore-unfixed
2024-01-10T09:10:00.898-0600 INFO Need to update DB
2024-01-10T09:10:00.898-0600 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-10T09:10:00.898-0600 INFO Downloading DB...
42.22 MiB / 42.22 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 9.50 MiB p/s 4.6s
2024-01-10T09:10:06.281-0600 INFO Vulnerability scanning is enabled
2024-01-10T09:10:08.447-0600 INFO Number of language-specific files: 1
2024-01-10T09:10:08.447-0600 INFO Detecting gobinary vulnerabilities...
bin/pushgateway (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)
┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM │ fixed │ v0.8.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │
│ │ │ │ │ │ │ (BPP) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │
├─────────────────────┼────────────────┼──────────┤ ├───────────────────┤ ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ │ v0.10.0 │ │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3978 │ MEDIUM │ │ │ 0.13.0 │ golang.org/x/net/html: Cross site scripting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3978 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ │ │ │ 0.17.0 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Master
trivy image quay.io/prometheus/pushgateway:master --security-checks vuln --ignore-unfixed
2024-01-10T09:23:08.576-0600 INFO Vulnerability scanning is enabled
2024-01-10T09:23:09.634-0600 INFO Number of language-specific files: 1
2024-01-10T09:23:09.634-0600 INFO Detecting gobinary vulnerabilities...
Beta Was this translation helpful? Give feedback.
All reactions