Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade docker/docker package #4225

Merged
merged 1 commit into from
May 15, 2023
Merged

Upgrade docker/docker package #4225

merged 1 commit into from
May 15, 2023

Conversation

matttrach
Copy link
Contributor

This prevents issues like #4223 in future releases.

This will update the version of the docker/docker package to v20.10.24 in order to resolve CVE-2023-28840.

I was able to verify that Trivy no longer reports a vulnerability by building the binary, packing it into a container image locally, and scanning the image:

Test output

Running trivy against rke2 bin built on changes:

Dev: root@dev ~  trivy image --scanners vuln -s HIGH,CRITICAL docker.io/library/rke2-local:after
2023-05-12T22:53:02.368Z        INFO    Vulnerability scanning is enabled
2023-05-12T22:53:03.830Z        INFO    Number of language-specific files: 1
2023-05-12T22:53:03.830Z        INFO    Detecting gobinary vulnerabilities...

Running Trivy against rke2 bin built on master:

trivy image --scanners vuln -s HIGH,CRITICAL docker.io/library/rke2-local:master
2023-05-12T22:54:24.954Z        INFO    Vulnerability scanning is enabled
2023-05-12T22:54:26.347Z        INFO    Number of language-specific files: 1
2023-05-12T22:54:26.347Z        INFO    Detecting gobinary vulnerabilities...

rke2-master (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬────────────────────────┬──────────────────┬──────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │   Installed Version    │  Fixed Version   │                      Title                       │
├──────────────────────────┼────────────────┼──────────┼────────────────────────┼──────────────────┼──────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2023-28840 │ HIGH     │ v20.10.12+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network may be unauthenticated │
│                          │                │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-28840       │
└──────────────────────────┴────────────────┴──────────┴────────────────────────┴──────────────────┴──────────────────────────────────────────────────┘

@matttrach
Upgrade docker/docker package
765344a 
Signed-off-by: Matt Trachier <[email protected]>
@matttrach matttrach self-assigned this May 12, 2023
@matttrach matttrach requested a review from a team as a code owner May 12, 2023 22:56
@matttrach matttrach requested a review from macedogm May 12, 2023 22:56
@matttrach matttrach merged commit b11a6b0 into rancher:master May 15, 2023
matttrach added a commit to matttrach/rke2 that referenced this pull request May 15, 2023
@matttrach
Upgrade docker/docker package (rancher#4225)
f02a917 
Signed-off-by: Matt Trachier <[email protected]>
@matttrach matttrach mentioned this pull request May 15, 2023
Merged
matttrach added a commit that referenced this pull request May 15, 2023
@matttrach
Upgrade docker/docker package (#4225) (#4234)
2943044 
Signed-off-by: Matt Trachier <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

@macedogm macedogm macedogm approved these changes

@osodracnai osodracnai osodracnai approved these changes

Assignees

@matttrach matttrach

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@matttrach @brandond @macedogm @osodracnai