Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] Use Alpine 3.21 in base image #23964

Merged
merged 1 commit into from
Feb 11, 2025
Merged

[fix] Use Alpine 3.21 in base image #23964

merged 1 commit into from
Feb 11, 2025

Conversation

merlimat
Copy link
Contributor

Motivation

There are several CVEs in base image with Alpine 3.20 that are already fixed in 3.21:

apachepulsar/pulsar:4.0.2 (alpine 3.20.5)

Total: 14 (UNKNOWN: 0, LOW: 3, MEDIUM: 7, HIGH: 4, CRITICAL: 0)

┌──────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│       Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bind-libs            │ CVE-2024-11187 │ HIGH     │ fixed  │ 9.18.32-r0        │ 9.18.33-r0    │ bind: bind9: Many records in the additional section cause   │
│                      │                │          │        │                   │               │ CPU exhaustion                                              │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-11187                  │
│                      ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                      │ CVE-2024-12705 │          │        │                   │               │ bind: bind9: DNS-over-HTTPS implementation suffers from     │
│                      │                │          │        │                   │               │ multiple issues under heavy query load...                   │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12705                  │
├──────────────────────┼────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│ bind-tools           │ CVE-2024-11187 │          │        │                   │               │ bind: bind9: Many records in the additional section cause   │
│                      │                │          │        │                   │               │ CPU exhaustion                                              │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-11187                  │
│                      ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                      │ CVE-2024-12705 │          │        │                   │               │ bind: bind9: DNS-over-HTTPS implementation suffers from     │
│                      │                │          │        │                   │               │ multiple issues under heavy query load...                   │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12705                  │
├──────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3           │ CVE-2024-13176 │ MEDIUM   │        │ 3.3.2-r1          │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
│                      ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                      │ CVE-2024-9143  │ LOW      │        │                   │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB   │
│                      │                │          │        │                   │               │ memory access                                               │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                   │
├──────────────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3              │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
│                      ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                      │ CVE-2024-9143  │ LOW      │        │                   │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB   │
│                      │                │          │        │                   │               │ memory access                                               │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                   │
├──────────────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl              │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
│                      ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                      │ CVE-2024-9143  │ LOW      │        │                   │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB   │
│                      │                │          │        │                   │               │ memory access                                               │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                   │
├──────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ pyc                  │ CVE-2025-0938  │ MEDIUM   │        │ 3.12.8-r1         │ 3.12.9-r0     │ python: cpython: URL parser allowed square brackets in      │
│                      │                │          │        │                   │               │ domain names                                                │
│                      │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0938                   │
├──────────────────────┤                │          │        │                   │               │                                                             │
│ python3              │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
├──────────────────────┤                │          │        │                   │               │                                                             │
│ python3-pyc          │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
├──────────────────────┤                │          │        │                   │               │                                                             │
│ python3-pycache-pyc0 │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
│                      │                │          │        │                   │               │                                                             │
└──────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Modifications

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@merlimat merlimat added this to the 4.1.0 milestone Feb 11, 2025
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Feb 11, 2025
@codecov-commenter
Copy link

codecov-commenter commented Feb 11, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.30%. Comparing base (bbc6224) to head (09cf921).
Report is 899 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #23964      +/-   ##
============================================
+ Coverage     73.57%   74.30%   +0.72%     
+ Complexity    32624    31916     -708     
============================================
  Files          1877     1853      -24     
  Lines        139502   143821    +4319     
  Branches      15299    16339    +1040     
============================================
+ Hits         102638   106863    +4225     
+ Misses        28908    28578     -330     
- Partials       7956     8380     +424
Flag Coverage Δ
inttests 26.74% <ø> (+2.15%) ⬆️
systests 23.23% <ø> (-1.09%) ⬇️
unittests 73.81% <ø> (+0.96%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1043 files with indirect coverage changes

@lhotari lhotari merged commit 69a55ca into apache:master Feb 11, 2025
55 of 56 checks passed
@merlimat merlimat deleted the alpine-3.21 branch February 11, 2025 20:59
merlimat added a commit that referenced this pull request Feb 11, 2025
@merlimat
[fix] Use Alpine 3.21 in base image (#23964)
de8ef2c
merlimat added a commit that referenced this pull request Feb 11, 2025
@merlimat
[fix] Use Alpine 3.21 in base image (#23964)
c82cd5a
hanmz pushed a commit to hanmz/pulsar that referenced this pull request Feb 12, 2025
@merlimat @hanmz
[fix] Use Alpine 3.21 in base image (apache#23964)
82738cc
mukesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Feb 20, 2025
@merlimat @mukesh-ctds
[fix] Use Alpine 3.21 in base image (apache#23964)
9b032f1 
(cherry picked from commit de8ef2c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

Assignees
No one assigned
Labels
area/security cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.3.5 release/4.0.2
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@merlimat @codecov-commenter @lhotari