StarlingX

CVE: Container images related to ptp-notification have one or more critical or high CVEs

Bug #2051391 reported by Ghada Khalil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andre Mauricio Zelak

Bug Description

Brief Description
-----------------
The following images related to ptp-notification are old and have CVEs:
- docker.io/starlingx/notificationclient-base:stx.9.0-v2.1.1 >> last built in March 2023
- docker.io/starlingx/locationservice-base:stx.8.0-v2.0.0 >> last built in Dec 2022
- docker.io/rabbitmq:3.8.11-management >> obsolete and no longer recommended for use

They should be updated/rebuilt to pick up CVE fixes

Severity
--------
Major - CVE / vulnerability issues

Steps to Reproduce
------------------
CVE scan using 3rd party tool

Expected Behavior
------------------
No/limited CVEs are reported

Actual Behavior
----------------
Many CVEs are reported

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
The above images are used in all recent stx main branch builds

Last Pass
---------
N/A

Timestamp/Logs
--------------
Not Required

Test Activity
-------------
CVE scan

Workaround
----------
None

See original description
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
description: updated
Changed in starlingx:
assignee: nobody → Andre Mauricio Zelak (azelak)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ptp-notification-armada-app (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ptp-notification-armada-app/+/907099

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
tags: added: stx.9.0 stx.networking stx.security
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to root (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/root/+/910967

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ptp-notification-armada-app (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ptp-notification-armada-app/+/910974

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to root (master)

Reviewed: https://review.opendev.org/c/starlingx/root/+/910967
Committed: https://opendev.org/starlingx/root/commit/9c4b5e8ecd99cdf8393eaf79caabd1fcb1c785e3
Submitter: "Zuul (22348)"
Branch: master

commit 9c4b5e8ecd99cdf8393eaf79caabd1fcb1c785e3
Author: Andre Mauricio Zelak <email address hidden>
Date: Mon Mar 4 13:39:41 2024 -0300

    Update image tags for ptp-notification images

    Update the following image tags:

    notificationservice-base
    stx.9.0-v2.2.0

    notificationservice-base-v2
    stx.9.0-v2.2.0

    notificationclient-base
    stx.9.0-v2.2.0

    locationservice-base
    stx.9.0-v2.2.0

    Partial-Bug: 2051391

    Change-Id: Ibf362f7b2a06438e04eb2a907effe691aae70e14
    Signed-off-by: Andre Mauricio Zelak <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ptp-notification-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/ptp-notification-armada-app/+/910974
Committed: https://opendev.org/starlingx/ptp-notification-armada-app/commit/d38115c8edd9bda349dea5359e61e3fc1004c792
Submitter: "Zuul (22348)"
Branch: master

commit d38115c8edd9bda349dea5359e61e3fc1004c792
Author: Andre Mauricio Zelak <email address hidden>
Date: Mon Mar 4 14:58:22 2024 -0300

    Update image tags for ptp-notification images

    Update the following image tags:

    notificationservice-base
    stx.9.0-v2.2.0

    notificationservice-base-v2
    stx.9.0-v2.2.0

    locationservice-base
    stx.9.0-v2.2.0

    Closes-Bug: 2051391

    Change-Id: Ie73115e2d91a4654841adc286bc560ca603aa2cd
    Signed-off-by: Andre Mauricio Zelak <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.apps
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.