Dependencies updated or ignored for CVE vulnerabilities#2173
Dependencies updated or ignored for CVE vulnerabilities#2173elelaysh wants to merge 1 commit intostackhpc/2025.1from
Conversation
- bump cadvisor to 0.56.2 - Ignore CVE-2024-24790 in prometheus mtail exporter control plane is trusted - Upgrade prometheus-msteams to 1.5.3 to fix CVE-2023-24538 CVE-2023-24540 - Bump grafana to 12.3.3 to fix CVE-2025-68121 grafana server 12.3.3 is fixed but the opensearch-datasource plugin is still affected. - Bump etcd to 3.5.27 to fix CVE-2025-68121 - Ignore CVE-2025-68121 for prometheus images - server-side: exporters and server are not listening with tls - as client: only querying known services - Ignore CVE-2025-68121 for influxdb No new version is available and it runs on a secure network - Ignore CVE-2025-68121 for letsencrypt-lego it only talks to known servers - Ignore CVE-2025-68121 for neutron it is the docker client that triggers it and we don't speak to remote docker over tls
elelaysh
force-pushed
the
ft/bump-grafana-etcd
branch
from
d90bbda to
c50bc98
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies to address CVEs and ignores others with justifications. The dependency updates for etcd, cadvisor, and prometheus-msteams look correct. The CVE suppressions are also in line with the descriptions. My main feedback is to add the justifications for ignoring CVEs as comments in the allowed-vulnerabilities.yml file. This will improve the maintainability of the configuration by making it self-documenting, explaining why certain vulnerabilities are considered acceptable risks in this context.
|
Cherry-picked 3c961f2 from stackhpc/2024.1 |
|
@elelaysh are you going to rebuild against this spec, or do the current containers conform to this? |
| [prometheus-msteams] | ||
| version = 1.5.3 | ||
| sha256 = amd64:8eae63d89338f53a990fa2720b3fabf58c916e2648c948ce1e0f29942459a491 |
There was a problem hiding this comment.
This shouldn't be required because prometheus-msteams was removed from Kolla in 2025.1: https://review.opendev.org/c/openstack/kolla/+/927000
| prometheus_msteams_allowed_vulnerabilities: | ||
| - CVE-2024-45337 | ||
| - CVE-2025-68121 |
3 participants
bump cadvisor to 0.56.2
Ignore CVE-2024-24790 in prometheus mtail exporter
control plane is trusted
Upgrade prometheus-msteams to 1.5.3 to fix CVE-2023-24538 CVE-2023-24540
Bump grafana to 12.3.3 to fix CVE-2025-68121
grafana server 12.3.3 is fixed but the opensearch-datasource plugin is still affected.
Bump etcd to 3.5.27 to fix CVE-2025-68121
Ignore CVE-2025-68121 for prometheus images
Ignore CVE-2025-68121 for influxdb
No new version is available and it runs on a secure network
Ignore CVE-2025-68121 for letsencrypt-lego
it only talks to known servers
Ignore CVE-2025-68121 for neutron
report caused by docker client and we don't speak to remote docker over tls