Flux 1.18 container vulnerable to CVE-2020-6750

[willholley]

The Flux 1.18.0 container reports as vulnerable to CVE-2020-6750 when scanned by the IBM Cloud container registry.

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages   How to Resolve
CVE-2020-6750      Active          glib                Upgrade glib to >= 2.62.5-r0

Would it be possible to get the container rebuilt with the updated package?

[hiddeco]

There has been a discussion about CVEs before in #2143

[hiddeco]

Errr #1964

Quoting from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6750

The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection.

You have to place CVEs into context, and given this I would not rate this a severe issue to a Flux user nor the cluster it is running in.

Our current release process isn’t designed to provide patch builds for CVEs and it would require a complete new patch release. This is simply not worth the effort.