Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve CVE-2023-29491 in minio deps #4053

Merged
merged 2 commits into from
Sep 29, 2023
Merged

resolve CVE-2023-29491 in minio deps #4053

merged 2 commits into from
Sep 29, 2023

Conversation

cbodonnell
Copy link
Contributor

What this PR does / why we need it:

Upgrades the minio/minio and minio/mc images to versions RELEASE.2023-09-23T03-47-50Z and RELEASE.2023-09-22T05-07-46Z, respectively, to resolve CVE-2023-29491 with high severity.

Which issue(s) this PR fixes:

https://app.shortcut.com/replicated/story/89721/cve-2023-29491

Special notes for your reviewer:

Steps to reproduce

minio/minio

➜  trivy image --format table --ignore-unfixed --severity CRITICAL,HIGH,MEDIUM docker.io/minio/minio:RELEASE.2023-09-23T03-47-50Z
2023-09-28T12:39:48.932-0400	INFO	Vulnerability scanning is enabled
2023-09-28T12:39:48.932-0400	INFO	Secret scanning is enabled
2023-09-28T12:39:48.932-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-09-28T12:39:48.932-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2023-09-28T12:39:52.710-0400	INFO	Detected OS: redhat
2023-09-28T12:39:52.710-0400	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-09-28T12:39:52.723-0400	INFO	Number of language-specific files: 2
2023-09-28T12:39:52.723-0400	INFO	Detecting gobinary vulnerabilities...

docker.io/minio/minio:RELEASE.2023-09-23T03-47-50Z (redhat 8.8)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)


opt/bin/mc (gobinary)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)


opt/bin/minio (gobinary)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

minio/mc

➜  trivy image --format table --ignore-unfixed --severity CRITICAL,HIGH,MEDIUM docker.io/minio/mc:RELEASE.2023-09-22T05-07-46Z                            
2023-09-28T12:40:14.891-0400	INFO	Vulnerability scanning is enabled
2023-09-28T12:40:14.891-0400	INFO	Secret scanning is enabled
2023-09-28T12:40:14.891-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-09-28T12:40:14.891-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2023-09-28T12:40:16.734-0400	INFO	Detected OS: redhat
2023-09-28T12:40:16.734-0400	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-09-28T12:40:16.747-0400	INFO	Number of language-specific files: 1
2023-09-28T12:40:16.747-0400	INFO	Detecting gobinary vulnerabilities...

docker.io/minio/mc:RELEASE.2023-09-22T05-07-46Z (redhat 8.8)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/mc (gobinary)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Does this PR introduce a user-facing change?

Upgrades the minio/minio and minio/mc images to versions RELEASE.2023-09-23T03-47-50Z and RELEASE.2023-09-22T05-07-46Z, respectively, to resolve CVE-2023-29491 with high severity.

Does this PR require documentation?

@cbodonnell cbodonnell marked this pull request as ready for review September 28, 2023 17:29
@cbodonnell cbodonnell merged commit 1ef9b84 into main Sep 29, 2023
78 checks passed
@cbodonnell cbodonnell deleted the cbo/CVE-2023-29491 branch September 29, 2023 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgalsaleh sgalsaleh sgalsaleh approved these changes

Assignees
No one assigned
Labels
type::security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbodonnell @sgalsaleh