blackduck vuln scan high issues

[sergeykuperman]

Hello ,
could you please verify that velero v6.0.0 is not vulnerable to the following high issues reported by black duck scan?
glibc 2.35:
CVE-2023-4911 https://bdba.tools.sap/#/vulnerabilities/CVE-2023-4911
CVE-2023-4806 https://bdba.tools.sap/#/vulnerabilities/CVE-2023-4806

golang-runtime 1.21.6:
CVE-2024-24785 https://bdba.tools.sap/#/vulnerabilities/CVE-2024-24785

the last one is the more critical one.
Thanks in advance

[blackpiglet]

Do you mean https://github.com/vmware-tanzu/helm-charts/releases/tag/velero-6.0.0?
The related Velero version should be v1.13.x.

The released Velero tags v1.13.0 and v1.13.1 are affected by these CVEs.
The planned v1.13.2 will contain the fix of CVE-2024-24785.
I will check whether there are fixes for the other two CVEs in the Velero base image. If there isn't any fix, it should be acceptable, because Velero doesn't use related functions.

[sergeykuperman]

Thank you, can you evaluate approx timeline for 1.13.2 ?

[blackpiglet]

v1.13.2 should be released in this April.