What is the Security guidelines for OLM fixing known CVEs? #1036
Comments
|
Currently, our upstream releases do not carry an SLA for fixing known CVEs. This is already fixed in the master tag, and we will be making another minor release within a week or so to fix this. |
|
@ecordell Thx for the info. Are there plans to put our a SLA statement regarding security/CVEs resolution? Trying to understand how to consume this for production and have some type of timeframe for getting high severity security fixes. |
|
@ecordell Friendly reminder that the current 0.12.0 release has 3 CVEs. Hopefully there will a new release soon. I checked master just now, and it scanned was clean. |
|
@ecordell Any updates on new release to pick up CVEs? |
|
@ecordell Any timeframe for 0.13.0 release? |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Working with @dmesser to come up with a process for get release spins. |
Type of question
OLM Security
Question
What is the Security guidelines for OLM fixing known CVEs?
What did you do?
I see the 0.11.0 release out as the latest release, but is it flagged with a CVE:https://quay.io/repository/operator-framework/olm/manifest/sha256:81813ac9c937187c29e080c0975bb18489c1f232009c38c8d3a27bc9956ddd21?tab=vulnerabilities&fixable=true
What did you expect to see?
I expect to see a 0.11.1 release spin to pick up and fix the CVE within a reasonable timeframe (a couple weeks?)
What did you see instead? Under which circumstances?
No new release to pick up the CVE fixes.
Environment
Latest 0.11.0
Kubernetes version information:
n/a
Kubernetes cluster kind:
n/a
Additional context
The text was updated successfully, but these errors were encountered: