Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addressing a lot of security vulnerabilities in the latest Cadence release #5037

Open
sonpham96 opened this issue Dec 1, 2022 · 2 comments

Comments

@sonpham96
Copy link
Contributor

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

  • Server version: v0.24.0
  • Client version:
  • Client langauge:

Describe the bug
A clear and concise description of what the bug is.

There are a lot of CVEs found by scanning the latest release image v0.24.0. Most of these CVEs are resolved in the image built from master. Following is the list of CVEs:

CVEs that may be fixed by [#5035] (pending review):

CVEs that have already been fixed by [#4957], but have not been released:

CVEs that have already been fixed by [#4804], but have yet made it to v0.24.0:

Not fixed:

Would it be possible for another release of Cadence to make it in a few weeks left of this year? The latest one has been released for more than half year already.

To Reproduce
Is the issue reproducible?

  • Yes, with any security vulnerability scanner on the Cadence server image.

Steps to reproduce the behavior:
A clear and concise description of the reproduce steps.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.

I have made a similar request back in August: #4803 (comment).

@thle40
Copy link

thle40 commented Jan 31, 2023

Echo on this topic and I would like to add more Critical CVEs found with later twistlock version which put our system into high risk state
curl
CVE-2022-43551
bash
CVE-2022-3715
go
CVE-2022-30629
CVE-2022-41717
busybox
CVE-2021-42376

@thle40
Copy link

thle40 commented Mar 1, 2023

With new version of twistlock, more critical CVEs found which impact to security of our system
go

OS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants