-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability CVE-2022-23308 for libxml2 #8321
Comments
Please show your scanner's report. |
removing label bug until the report is available here to look at /remove-kind bug |
alpinelinux/docker-alpine#240 |
My understanding is that Libxml2 is used for XML parsing, https://en.wikipedia.org/wiki/Libxml2 The ngx_http_xslt_module requires Libxml2. /triage accepted Once you get an answer back from the Alpine linux issue we can look to implement that fix. Thank you, |
we discussed in the community 3/15 about upgrading to alpine 3.15. Let's test that and move forward with the update. @fred214 can you the post the tool you used for scanning and the CVE for this vunl. Thanks -James |
Here is my scan report with acquasecurity/trivy
|
The alpine:3.14 has update libxml2 version to 2.9.13-r0 in 2022.3.11, https://pkgs.alpinelinux.org/packages?name=libxml2&branch=v3.14 |
/reopen [~] % grype NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY |
@longwuyuan: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@strongjz @rikatz @tao12345666333 , now there are 2 CVEs . This one and #8339 requiring a new base image and promotion. /priority important-short-term |
@longwuyuan: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/priority important-soon |
@strongjz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
* patches kubernetes/ingress-nginx#8339 * patches kubernetes/ingress-nginx#8321
* patches kubernetes/ingress-nginx#8339 * patches kubernetes/ingress-nginx#8321
Hi, our scanner reported libxm2 v2.9.12-r1 has vulnerability, I think it belong to upstream, and already create issue alpinelinux/docker-alpine#240.
I want to know what is the libxm2 used for? https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/rootfs/Dockerfile#L50, maybe I can remove it from base image.
As my understanding Alpine is base binary release, is there any possibility that I can build it like other library which is used for nginx? Thanks a lot
The text was updated successfully, but these errors were encountered: