Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update curlimages/curl to v8.12.0 #3817

Merged
merged 1 commit into from
Feb 10, 2025
Merged

chore(deps): update curlimages/curl to v8.12.0 #3817

merged 1 commit into from
Feb 10, 2025

Conversation

tberreis
Copy link
Contributor

What this PR does / why we need it:
The image used for the probe webhook is about 3 years old and has some high rated vulnerabilites.
The default should be updated to a more current release of curl.

curlimages/curl:7.83.1 (alpine 3.15.4)

Total: 28 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 12, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450  │ HIGH     │ fixed  │ 1.1.1n-r0         │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│              ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │        │                   │               │ openssl: use-after-free following BIO_new_NDEF              │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│              ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │        │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │        │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in   │
│              │                │          │        │                   │               │ verifying X509 policy...                                    │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│              ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2097  │ MEDIUM   │        │                   │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │          │        │                   │ 1.1.1t-r0     │ openssl: timing attack in RSA Decryption implementation     │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │        │                   │ 1.1.1t-r2     │ openssl: Invalid certificate policies in leaf certificates  │
│              │                │          │        │                   │               │ are silently ignored                                        │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0     │ openssl: Possible DoS translating ASN.1 object identifiers  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2     │ openssl: Excessive time spent checking DH keys and          │
│              │                │          │        │                   │               │ parameters                                                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3817  │          │        │                   │ 1.1.1v-r0     │ OpenSSL: Excessive time spent checking DH q parameter value │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5678  │          │        │                   │ 1.1.1w-r1     │ openssl: Generating excessively long X9.42 DH keys or       │
│              │                │          │        │                   │               │ checking excessively long X9.42...                          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
├──────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450  │ HIGH     │        │                   │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│              ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │        │                   │               │ openssl: use-after-free following BIO_new_NDEF              │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│              ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │        │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │        │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in   │
│              │                │          │        │                   │               │ verifying X509 policy...                                    │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│              ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2097  │ MEDIUM   │        │                   │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │          │        │                   │ 1.1.1t-r0     │ openssl: timing attack in RSA Decryption implementation     │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │        │                   │ 1.1.1t-r2     │ openssl: Invalid certificate policies in leaf certificates  │
│              │                │          │        │                   │               │ are silently ignored                                        │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0     │ openssl: Possible DoS translating ASN.1 object identifiers  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2     │ openssl: Excessive time spent checking DH keys and          │
│              │                │          │        │                   │               │ parameters                                                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3817  │          │        │                   │ 1.1.1v-r0     │ OpenSSL: Excessive time spent checking DH q parameter value │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5678  │          │        │                   │ 1.1.1w-r1     │ openssl: Generating excessively long X9.42 DH keys or       │
│              │                │          │        │                   │               │ checking excessively long X9.42...                          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ nghttp2-dev  │ CVE-2023-35945 │ HIGH     │        │ 1.46.0-r0         │ 1.46.0-r1     │ envoy: HTTP/2 memory leak in nghttp2 codec                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-35945                  │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-44487 │          │        │                   │ 1.46.0-r2     │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│              │                │          │        │                   │               │ to a DDoS attack...                                         │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
├──────────────┼────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ nghttp2-libs │ CVE-2023-35945 │          │        │                   │ 1.46.0-r1     │ envoy: HTTP/2 memory leak in nghttp2 codec                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-35945                  │
│              ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-44487 │          │        │                   │ 1.46.0-r2     │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│              │                │          │        │                   │               │ to a DDoS attack...                                         │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ pkgconf      │ CVE-2023-24056 │ MEDIUM   │        │ 1.8.0-r0          │ 1.8.1-r0      │ pkgconf: unbounded string expansion due to incorrect checks │
│              │                │          │        │                   │               │ may result in buffer...                                     │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-24056                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │        │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
│              │                │          │        │                   │               │ in inflate.c via a...                                       │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

curlimages/curl:8.12.0 (alpine 3.21.2)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-13176 │ MEDIUM   │ fixed  │ 3.3.2-r4          │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
├────────────┤                │          │        │                   │               │                                                             │
│ libssl3    │                │          │        │                   │               │                                                             │
│            │                │          │        │                   │               │                                                             │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
n/a

Special notes for your reviewer:
Tested locally. Everything seems to work as expected.

@tberreis tberreis requested a review from a team as a code owner February 10, 2025 13:24
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.72%. Comparing base (3350319) to head (99596bf).
Report is 251 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (99596bf). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (99596bf)
unittests 2 1
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3817      +/-   ##
==========================================
- Coverage   54.49%   47.72%   -6.78%     
==========================================
  Files         134      235     +101     
  Lines       12329    19861    +7532     
==========================================
+ Hits         6719     9479    +2760     
- Misses       5116     9492    +4376     
- Partials      494      890     +396
Flag Coverage Δ
unittests 47.72% <ø> (-6.78%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ritazh
ritazh approved these changes Feb 10, 2025
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks for the PR! @tberreis

sozercan
sozercan approved these changes Feb 10, 2025
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you! lgtm

@sozercan sozercan merged commit 9d5489c into open-policy-agent:master Feb 10, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

@ritazh ritazh ritazh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tberreis @codecov-commenter @sozercan @ritazh