Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CNI binaries version to v1.4.1 #6334

Merged
merged 1 commit into from
May 20, 2024
Merged

Update CNI binaries version to v1.4.1 #6334

merged 1 commit into from
May 20, 2024

Conversation

antoninbas
Copy link
Contributor

CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the antrea-agent image, because of the CNI plugin binaries. We bump up the version to v1.4.1 to avoid the warnings from CVE scanners.

@antoninbas
Copy link
Contributor Author

No need to backport, as the CVE does not impact Antrea. We ship the following CNI plugins: bandwidth, host-local, loopback, portmap. None of these run an HTTP server.

Another note of interest: the original binaries for 1.4.1 were build with go1.21.7 and were "affected" by the CVE. However, the binaries were rebuilt recently with a more recent go version (go1.22.3) and are no longer "affected". See containernetworking/plugins#1038. This is not ideal because release artifacts should be immutable, but using the new binaries should not negatively impact us.

tnqn
tnqn approved these changes May 16, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antoninbas
Copy link
Contributor Author

Depends on #6337

@antoninbas
Update CNI binaries version to v1.4.1
ead46ad 
CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
@antoninbas antoninbas force-pushed the update-cni-binaries-version-to-v1.4.1 branch from 36ed7d0 to ead46ad Compare May 17, 2024 04:31
@antoninbas
Copy link
Contributor Author

/test-all

@antoninbas antoninbas merged commit b1110a9 into antrea-io:main May 20, 2024
52 of 55 checks passed
@antoninbas antoninbas deleted the update-cni-binaries-version-to-v1.4.1 branch May 20, 2024 17:21
antoninbas added a commit to antoninbas/antrea that referenced this pull request May 21, 2024
@antoninbas
Update CNI binaries version to v1.4.1 (antrea-io#6334)
6a8c4ea 
CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
@antoninbas antoninbas mentioned this pull request May 21, 2024
Merged
antoninbas added a commit that referenced this pull request May 22, 2024
@antoninbas
Update CNI binaries version to v1.4.1 (#6334) (#6352)
f1564e8 
CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@antoninbas @tnqn