Security: new CVEs in 0.12.0 release AND in master, new fixes/release coming?

[kramvan1]

Type of question

Security updates for images, as new CVEs are found in existing latest release, how to get them fixed and new release spun?

Fix is just and OS package update:
Upgrade libcrypto1.1 to >= 1.1.1d-r0 Upgrade libssl1.1 to >= 1.1.1d-r0

Related to #1036

Question

What did you do?

Ran IBM VA scanner against master AND 0.12.0 image:

What did you expect to see?

No CVEs

What did you see instead? Under which circumstances?

3 CVEs found

• CVE-2019-1547 | libcrypto1.1libssl1.1
• CVE-2019-1549 | libcrypto1.1libssl1.1
• CVE-2019-1563 | libcrypto1.1libssl1.1

Environment

• operator-lifecycle-manager version:

master and 0.12.0

[ecordell]

OLM does not link openssl libs, so there shouldn't be any issue.

But just in case someone is affected (by running non-olm code in the container), I have made a PR that will pull in the latest updates. APK has the fixed packages already: #1067

[kramvan1]

@ecordell thx for update. Wouldn't it be easier to just remove the unneeded packages like this near the end of the Docker build? Or go distro-less? Unfortunately, I have to respond to each CVE, so that means tracking it down and figuring the impact, nicer to not have it in the first place.