Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CNI binaries version to v1.4.1 #6334

Merged

Conversation

antoninbas
Copy link
Contributor

CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the antrea-agent image, because of the CNI plugin binaries. We bump up the version to v1.4.1 to avoid the warnings from CVE scanners.

@antoninbas
Copy link
Contributor Author

No need to backport, as the CVE does not impact Antrea. We ship the following CNI plugins: bandwidth, host-local, loopback, portmap. None of these run an HTTP server.

Another note of interest: the original binaries for 1.4.1 were build with go1.21.7 and were "affected" by the CVE. However, the binaries were rebuilt recently with a more recent go version (go1.22.3) and are no longer "affected". See containernetworking/plugins#1038. This is not ideal because release artifacts should be immutable, but using the new binaries should not negatively impact us.

Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antoninbas
Copy link
Contributor Author

Depends on #6337

CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
@antoninbas antoninbas force-pushed the update-cni-binaries-version-to-v1.4.1 branch from 36ed7d0 to ead46ad Compare May 17, 2024 04:31
@antoninbas
Copy link
Contributor Author

/test-all

@antoninbas antoninbas merged commit b1110a9 into antrea-io:main May 20, 2024
52 of 55 checks passed
@antoninbas antoninbas deleted the update-cni-binaries-version-to-v1.4.1 branch May 20, 2024 17:21
antoninbas added a commit to antoninbas/antrea that referenced this pull request May 21, 2024
CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas added a commit that referenced this pull request May 22, 2024
CVE scanners are currently flagging CVE-2023-45288 (HIGH) in the
antrea-agent image, because of the CNI plugin binaries. We bump up the
version to v1.4.1 to avoid the warnings from CVE scanners.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants