Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade minio to RELEASE.2023-11-11T08-14-41Z #4131

Closed
wants to merge 1 commit into from
Closed

upgrade minio to RELEASE.2023-11-11T08-14-41Z #4131

wants to merge 1 commit into from

Conversation

cbodonnell
Copy link
Contributor

What this PR does / why we need it:

Upgrades the minio image to RELEASE.2023-11-11T08-14-41Z to resolve the following CVEs:

opt/bin/mc (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                           Title                            │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ v1.58.0           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                   │
│                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g          │
│                        ├─────────────────────┼──────────┤        │                   ├────────────────────────┼────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-44487      │ MEDIUM   │        │                   │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│                        │                     │          │        │                   │                        │ to a DDoS attack...                                        │
│                        │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                 │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────────┘

opt/bin/minio (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌──────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│         Library          │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                           Title                            │
├──────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/nats-io/nkeys │ CVE-2023-46129      │ HIGH     │ fixed  │ v0.4.5            │ 0.4.6                  │ nkeys: xkeys Seal encryption used fixed key for all        │
│                          │                     │          │        │                   │                        │ encryption                                                 │
│                          │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-46129                 │
├──────────────────────────┼─────────────────────┤          │        ├───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc   │ GHSA-m425-mq94-257g │          │        │ v1.58.2           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                   │
│                          │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g          │
│                          ├─────────────────────┼──────────┤        │                   ├────────────────────────┼────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-44487      │ MEDIUM   │        │                   │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│                          │                     │          │        │                   │                        │ to a DDoS attack...                                        │
│                          │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                 │
└──────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────────┘

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Steps to reproduce

Does this PR introduce a user-facing change?

Upgrades the minio/minio image to RELEASE.2023-11-11T08-14-41Z to resolve CVE-2023-46129 and GHSA-m425-mq94-257g with high severity, and CVE-2023-44487 with medium severity.

Does this PR require documentation?

@cbodonnell cbodonnell closed this Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type::security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cbodonnell