Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-3.5] Dockerfile*: Switch baseimage to k8s hosted one #13862

Merged
merged 1 commit into from
Apr 12, 2022
Merged

[release-3.5] Dockerfile*: Switch baseimage to k8s hosted one #13862

merged 1 commit into from
Apr 12, 2022

Conversation

mrueg
Copy link
Contributor

@mrueg mrueg commented Mar 31, 2022
edited
Loading

@mrueg mrueg changed the title [release-3.5] Dockerfile*: Switch baseimage to k8s hosted one [WIP] [release-3.5] Dockerfile*: Switch baseimage to k8s hosted one Mar 31, 2022
@mrueg mrueg changed the title [WIP] [release-3.5] Dockerfile*: Switch baseimage to k8s hosted one [release-3.5] Dockerfile*: Switch baseimage to k8s hosted one Mar 31, 2022
@serathius serathius mentioned this pull request Apr 6, 2022
Closed
28 tasks
ptabor
ptabor approved these changes Apr 9, 2022
View reviewed changes
Copy link
Contributor

@ptabor ptabor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

I assume it's not a cherry-pick form main, as v3.6 stays on distro-less on purpose:
https://github.com/etcd-io/etcd/blob/main/Dockerfile-release.amd64

@mrueg
Copy link
Contributor Author

mrueg commented Apr 11, 2022
edited
Loading

@ptabor exactly

@serathius could we get this into the 3.5.3 release cycle?

- Critical High Medium Low Negligible Unknown
debian:bullseye-20210927 6 7 6 5 55 21
debian:bullseye-20220328 0 3 1 5 55 5
k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 6 7 2 5 46 9
k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0-apt-get 0 2 1 5 46 5
k8s.gcr.io/build-image/debian-base:bullseye-v1.2.0 0 3 1 5 46 5 
grype debian:bullseye-20210927                                                                                       
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [96 packages]
 ✔ Scanned image           [102 vulnerabilities]
NAME              INSTALLED         FIXED-IN                 VULNERABILITY     SEVERITY   
apt               2.2.4                                      CVE-2011-3374     Negligible  
bsdutils          1:2.36.1-8                                 CVE-2022-0563     Negligible  
bsdutils          1:2.36.1-8        2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
bsdutils          1:2.36.1-8        2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
coreutils         8.32-4+b1                                  CVE-2017-18018    Negligible  
coreutils         8.32-4+b1         (won't fix)              CVE-2016-2781     Low         
gzip              1.10-4                                     CVE-2022-1271     Unknown     
libapt-pkg6.0     2.2.4                                      CVE-2011-3374     Negligible  
libblkid1         2.36.1-8                                   CVE-2022-0563     Negligible  
libblkid1         2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
libblkid1         2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
libc-bin          2.31-13           2.31-13+deb11u3          CVE-2022-23218    Critical    
libc-bin          2.31-13           (won't fix)              CVE-2021-3999     Unknown     
libc-bin          2.31-13                                    CVE-2019-1010025  Negligible  
libc-bin          2.31-13                                    CVE-2019-1010024  Negligible  
libc-bin          2.31-13                                    CVE-2019-1010023  Negligible  
libc-bin          2.31-13           2.31-13+deb11u3          CVE-2021-43396    High        
libc-bin          2.31-13                                    CVE-2019-9192     Negligible  
libc-bin          2.31-13           2.31-13+deb11u3          CVE-2021-33574    Critical    
libc-bin          2.31-13                                    CVE-2010-4756     Negligible  
libc-bin          2.31-13           2.31-13+deb11u3          CVE-2022-23219    Critical    
libc-bin          2.31-13                                    CVE-2018-20796    Negligible  
libc-bin          2.31-13                                    CVE-2019-1010022  Negligible  
libc6             2.31-13                                    CVE-2019-1010023  Negligible  
libc6             2.31-13                                    CVE-2018-20796    Negligible  
libc6             2.31-13           2.31-13+deb11u3          CVE-2022-23218    Critical    
libc6             2.31-13                                    CVE-2019-9192     Negligible  
libc6             2.31-13                                    CVE-2019-1010024  Negligible  
libc6             2.31-13           2.31-13+deb11u3          CVE-2021-33574    Critical    
libc6             2.31-13                                    CVE-2019-1010025  Negligible  
libc6             2.31-13           2.31-13+deb11u3          CVE-2021-43396    High        
libc6             2.31-13           2.31-13+deb11u3          CVE-2022-23219    Critical    
libc6             2.31-13           (won't fix)              CVE-2021-3999     Unknown     
libc6             2.31-13                                    CVE-2010-4756     Negligible  
libc6             2.31-13                                    CVE-2019-1010022  Negligible  
libgcrypt20       1.8.7-6                                    CVE-2018-6829     Negligible  
libgcrypt20       1.8.7-6           (won't fix)              CVE-2021-33560    High        
libgmp10          2:6.2.1+dfsg-1    2:6.2.1+dfsg-1+deb11u1   CVE-2021-43618    High        
libgnutls30       3.7.1-5                                    CVE-2011-3389     Medium      
libgnutls30       3.7.1-5           (won't fix)              CVE-2021-4209     Unknown     
libgssapi-krb5-2  1.18.3-6                                   CVE-2018-5709     Negligible  
libgssapi-krb5-2  1.18.3-6          1.18.3-6+deb11u1         CVE-2021-37750    Medium      
libgssapi-krb5-2  1.18.3-6                                   CVE-2004-0971     Negligible  
libk5crypto3      1.18.3-6                                   CVE-2004-0971     Negligible  
libk5crypto3      1.18.3-6          1.18.3-6+deb11u1         CVE-2021-37750    Medium      
libk5crypto3      1.18.3-6                                   CVE-2018-5709     Negligible  
libkrb5-3         1.18.3-6                                   CVE-2018-5709     Negligible  
libkrb5-3         1.18.3-6                                   CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6          1.18.3-6+deb11u1         CVE-2021-37750    Medium      
libkrb5support0   1.18.3-6                                   CVE-2004-0971     Negligible  
libkrb5support0   1.18.3-6          1.18.3-6+deb11u1         CVE-2021-37750    Medium      
libkrb5support0   1.18.3-6                                   CVE-2018-5709     Negligible  
liblzma5          5.2.5-2                                    CVE-2022-1271     Unknown     
libmount1         2.36.1-8                                   CVE-2022-0563     Negligible  
libmount1         2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
libmount1         2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
libpcre3          2:8.39-13                                  CVE-2017-16231    Negligible  
libpcre3          2:8.39-13                                  CVE-2017-7245     Negligible  
libpcre3          2:8.39-13                                  CVE-2017-7246     Negligible  
libpcre3          2:8.39-13                                  CVE-2017-11164    Negligible  
libpcre3          2:8.39-13                                  CVE-2019-20838    Negligible  
libsepol1         3.1-1             (won't fix)              CVE-2021-36086    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36085    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36084    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36087    Low         
libsmartcols1     2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
libsmartcols1     2.36.1-8                                   CVE-2022-0563     Negligible  
libsmartcols1     2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
libssl1.1         1.1.1k-1+deb11u1                           CVE-2010-0928     Negligible  
libssl1.1         1.1.1k-1+deb11u1                           CVE-2007-6755     Negligible  
libssl1.1         1.1.1k-1+deb11u1  1.1.1k-1+deb11u2         CVE-2022-0778     High        
libssl1.1         1.1.1k-1+deb11u1  1.1.1k-1+deb11u2         CVE-2021-4160     Medium      
libsystemd0       247.3-6           247.3-7                  CVE-2021-3997     Unknown     
libsystemd0       247.3-6                                    CVE-2013-4392     Negligible  
libsystemd0       247.3-6                                    CVE-2020-13529    Negligible  
libtinfo6         6.2+20201114-2                             CVE-2021-39537    Negligible  
libudev1          247.3-6                                    CVE-2020-13529    Negligible  
libudev1          247.3-6                                    CVE-2013-4392     Negligible  
libudev1          247.3-6           247.3-7                  CVE-2021-3997     Unknown     
libuuid1          2.36.1-8                                   CVE-2022-0563     Negligible  
libuuid1          2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
libuuid1          2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
login             1:4.8.1-1                                  CVE-2013-4235     Negligible  
login             1:4.8.1-1                                  CVE-2019-19882    Negligible  
login             1:4.8.1-1                                  CVE-2007-5686     Negligible  
mount             2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
mount             2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
mount             2.36.1-8                                   CVE-2022-0563     Negligible  
ncurses-base      6.2+20201114-2                             CVE-2021-39537    Negligible  
ncurses-bin       6.2+20201114-2                             CVE-2021-39537    Negligible  
passwd            1:4.8.1-1                                  CVE-2007-5686     Negligible  
passwd            1:4.8.1-1                                  CVE-2013-4235     Negligible  
passwd            1:4.8.1-1                                  CVE-2019-19882    Negligible  
perl-base         5.32.1-4+deb11u1                           CVE-2011-4116     Negligible  
perl-base         5.32.1-4+deb11u1  (won't fix)              CVE-2020-16156    High        
tar               1.34+dfsg-1                                CVE-2005-2541     Negligible  
util-linux        2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
util-linux        2.36.1-8                                   CVE-2022-0563     Negligible  
util-linux        2.36.1-8          2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
zlib1g            1:1.2.11.dfsg-2   1:1.2.11.dfsg-2+deb11u1  CVE-2018-25032    High

vs

~/go/bin/grype debian:bullseye-20220328                     
NAME              INSTALLED           FIXED-IN                 VULNERABILITY     SEVERITY   
apt               2.2.4                                        CVE-2011-3374     Negligible  
bsdutils          1:2.36.1-8+deb11u1                           CVE-2022-0563     Negligible  
coreutils         8.32-4+b1                                    CVE-2017-18018    Negligible  
coreutils         8.32-4+b1           (won't fix)              CVE-2016-2781     Low         
gzip              1.10-4                                       CVE-2022-1271     Unknown     
libapt-pkg6.0     2.2.4                                        CVE-2011-3374     Negligible  
libblkid1         2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
libc-bin          2.31-13+deb11u3     (won't fix)              CVE-2021-3999     Unknown     
libc-bin          2.31-13+deb11u3                              CVE-2019-1010022  Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2010-4756     Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010025  Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-9192     Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010023  Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2018-20796    Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010024  Negligible  
libc6             2.31-13+deb11u3     (won't fix)              CVE-2021-3999     Unknown     
libc6             2.31-13+deb11u3                              CVE-2019-1010022  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010024  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010025  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-9192     Negligible  
libc6             2.31-13+deb11u3                              CVE-2018-20796    Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010023  Negligible  
libc6             2.31-13+deb11u3                              CVE-2010-4756     Negligible  
libgcrypt20       1.8.7-6                                      CVE-2018-6829     Negligible  
libgcrypt20       1.8.7-6             (won't fix)              CVE-2021-33560    High        
libgnutls30       3.7.1-5             (won't fix)              CVE-2021-4209     Unknown     
libgnutls30       3.7.1-5                                      CVE-2011-3389     Medium      
libgssapi-krb5-2  1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libgssapi-krb5-2  1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libk5crypto3      1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libk5crypto3      1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libkrb5-3         1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
liblzma5          5.2.5-2                                      CVE-2022-1271     Unknown     
libmount1         2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
libpcre3          2:8.39-13                                    CVE-2017-11164    Negligible  
libpcre3          2:8.39-13                                    CVE-2019-20838    Negligible  
libpcre3          2:8.39-13                                    CVE-2017-7246     Negligible  
libpcre3          2:8.39-13                                    CVE-2017-7245     Negligible  
libpcre3          2:8.39-13                                    CVE-2017-16231    Negligible  
libsepol1         3.1-1               (won't fix)              CVE-2021-36084    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36085    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36086    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36087    Low         
libsmartcols1     2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
libssl1.1         1.1.1n-0+deb11u1                             CVE-2007-6755     Negligible  
libssl1.1         1.1.1n-0+deb11u1                             CVE-2010-0928     Negligible  
libsystemd0       247.3-7                                      CVE-2013-4392     Negligible  
libsystemd0       247.3-7                                      CVE-2020-13529    Negligible  
libtinfo6         6.2+20201114-2                               CVE-2021-39537    Negligible  
libudev1          247.3-7                                      CVE-2013-4392     Negligible  
libudev1          247.3-7                                      CVE-2020-13529    Negligible  
libuuid1          2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
login             1:4.8.1-1                                    CVE-2013-4235     Negligible  
login             1:4.8.1-1                                    CVE-2019-19882    Negligible  
login             1:4.8.1-1                                    CVE-2007-5686     Negligible  
mount             2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
ncurses-base      6.2+20201114-2                               CVE-2021-39537    Negligible  
ncurses-bin       6.2+20201114-2                               CVE-2021-39537    Negligible  
passwd            1:4.8.1-1                                    CVE-2007-5686     Negligible  
passwd            1:4.8.1-1                                    CVE-2013-4235     Negligible  
passwd            1:4.8.1-1                                    CVE-2019-19882    Negligible  
perl-base         5.32.1-4+deb11u2                             CVE-2011-4116     Negligible  
perl-base         5.32.1-4+deb11u2    (won't fix)              CVE-2020-16156    High        
tar               1.34+dfsg-1                                  CVE-2005-2541     Negligible  
util-linux        2.36.1-8+deb11u1                             CVE-2022-0563     Negligible  
zlib1g            1:1.2.11.dfsg-2     1:1.2.11.dfsg-2+deb11u1  CVE-2018-25032    High

vs

grype k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0
apt               2.2.4                                      CVE-2011-3374     Negligible  
bsdutils          1:2.36.1-8                                 CVE-2022-0563     Negligible  
bsdutils          1:2.36.1-8        2.36.1-8+deb11u1         CVE-2021-3995     Unknown     
bsdutils          1:2.36.1-8        2.36.1-8+deb11u1         CVE-2021-3996     Unknown     
coreutils         8.32-4+b1         (won't fix)              CVE-2016-2781     Low         
coreutils         8.32-4+b1                                  CVE-2017-18018    Negligible  
gzip              1.10-4                                     CVE-2022-1271     Unknown     
libapt-pkg6.0     2.2.4                                      CVE-2011-3374     Negligible  
libc-bin          2.31-13+deb11u2                            CVE-2018-20796    Negligible  
libc-bin          2.31-13+deb11u2                            CVE-2010-4756     Negligible  
libc-bin          2.31-13+deb11u2   2.31-13+deb11u3          CVE-2021-33574    Critical    
libc-bin          2.31-13+deb11u2   (won't fix)              CVE-2021-3999     Unknown     
libc-bin          2.31-13+deb11u2   2.31-13+deb11u3          CVE-2022-23219    Critical    
libc-bin          2.31-13+deb11u2   2.31-13+deb11u3          CVE-2021-43396    High        
libc-bin          2.31-13+deb11u2                            CVE-2019-1010022  Negligible  
libc-bin          2.31-13+deb11u2                            CVE-2019-1010023  Negligible  
libc-bin          2.31-13+deb11u2   2.31-13+deb11u3          CVE-2022-23218    Critical    
libc-bin          2.31-13+deb11u2                            CVE-2019-1010024  Negligible  
libc-bin          2.31-13+deb11u2                            CVE-2019-1010025  Negligible  
libc-bin          2.31-13+deb11u2                            CVE-2019-9192     Negligible  
libc6             2.31-13+deb11u2                            CVE-2019-1010024  Negligible  
libc6             2.31-13+deb11u2   2.31-13+deb11u3          CVE-2022-23218    Critical    
libc6             2.31-13+deb11u2   2.31-13+deb11u3          CVE-2021-43396    High        
libc6             2.31-13+deb11u2                            CVE-2019-1010022  Negligible  
libc6             2.31-13+deb11u2   2.31-13+deb11u3          CVE-2021-33574    Critical    
libc6             2.31-13+deb11u2   (won't fix)              CVE-2021-3999     Unknown     
libc6             2.31-13+deb11u2                            CVE-2019-1010025  Negligible  
libc6             2.31-13+deb11u2                            CVE-2019-9192     Negligible  
libc6             2.31-13+deb11u2                            CVE-2018-20796    Negligible  
libc6             2.31-13+deb11u2                            CVE-2019-1010023  Negligible  
libc6             2.31-13+deb11u2                            CVE-2010-4756     Negligible  
libc6             2.31-13+deb11u2   2.31-13+deb11u3          CVE-2022-23219    Critical    
libgcrypt20       1.8.7-6           (won't fix)              CVE-2021-33560    High        
libgcrypt20       1.8.7-6                                    CVE-2018-6829     Negligible  
libgmp10          2:6.2.1+dfsg-1    2:6.2.1+dfsg-1+deb11u1   CVE-2021-43618    High        
libgnutls30       3.7.1-5                                    CVE-2011-3389     Medium      
libgnutls30       3.7.1-5           (won't fix)              CVE-2021-4209     Unknown     
libgssapi-krb5-2  1.18.3-6+deb11u1                           CVE-2004-0971     Negligible  
libgssapi-krb5-2  1.18.3-6+deb11u1                           CVE-2018-5709     Negligible  
libk5crypto3      1.18.3-6+deb11u1                           CVE-2018-5709     Negligible  
libk5crypto3      1.18.3-6+deb11u1                           CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                           CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                           CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                           CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                           CVE-2004-0971     Negligible  
liblzma5          5.2.5-2                                    CVE-2022-1271     Unknown     
libpcre3          2:8.39-13                                  CVE-2017-16231    Negligible  
libpcre3          2:8.39-13                                  CVE-2017-11164    Negligible  
libpcre3          2:8.39-13                                  CVE-2017-7245     Negligible  
libpcre3          2:8.39-13                                  CVE-2019-20838    Negligible  
libpcre3          2:8.39-13                                  CVE-2017-7246     Negligible  
libsepol1         3.1-1             (won't fix)              CVE-2021-36084    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36087    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36085    Low         
libsepol1         3.1-1             (won't fix)              CVE-2021-36086    Low         
libssl1.1         1.1.1k-1+deb11u1  1.1.1k-1+deb11u2         CVE-2022-0778     High        
libssl1.1         1.1.1k-1+deb11u1                           CVE-2010-0928     Negligible  
libssl1.1         1.1.1k-1+deb11u1                           CVE-2007-6755     Negligible  
libssl1.1         1.1.1k-1+deb11u1  1.1.1k-1+deb11u2         CVE-2021-4160     Medium      
libsystemd0       247.3-6                                    CVE-2020-13529    Negligible  
libsystemd0       247.3-6                                    CVE-2013-4392     Negligible  
libsystemd0       247.3-6           247.3-7                  CVE-2021-3997     Unknown     
libudev1          247.3-6           247.3-7                  CVE-2021-3997     Unknown     
libudev1          247.3-6                                    CVE-2013-4392     Negligible  
libudev1          247.3-6                                    CVE-2020-13529    Negligible  
login             1:4.8.1-1                                  CVE-2019-19882    Negligible  
login             1:4.8.1-1                                  CVE-2007-5686     Negligible  
login             1:4.8.1-1                                  CVE-2013-4235     Negligible  
passwd            1:4.8.1-1                                  CVE-2019-19882    Negligible  
passwd            1:4.8.1-1                                  CVE-2013-4235     Negligible  
passwd            1:4.8.1-1                                  CVE-2007-5686     Negligible  
perl-base         5.32.1-4+deb11u2                           CVE-2011-4116     Negligible  
perl-base         5.32.1-4+deb11u2  (won't fix)              CVE-2020-16156    High        
tar               1.34+dfsg-1                                CVE-2005-2541     Negligible  
zlib1g            1:1.2.11.dfsg-2   1:1.2.11.dfsg-2+deb11u1  CVE-2018-25032    High

vs

k8s-bullseye with running apt-get update && apt-get upgrade -yy during build

grype k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0-apt-get
NAME              INSTALLED           FIXED-IN     VULNERABILITY     SEVERITY   
apt               2.2.4                            CVE-2011-3374     Negligible  
bsdutils          1:2.36.1-8+deb11u1               CVE-2022-0563     Negligible  
coreutils         8.32-4+b1           (won't fix)  CVE-2016-2781     Low         
coreutils         8.32-4+b1                        CVE-2017-18018    Negligible  
gzip              1.10-4                           CVE-2022-1271     Unknown     
libapt-pkg6.0     2.2.4                            CVE-2011-3374     Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2019-1010025  Negligible  
libc-bin          2.31-13+deb11u3     (won't fix)  CVE-2021-3999     Unknown     
libc-bin          2.31-13+deb11u3                  CVE-2018-20796    Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2019-1010024  Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2019-1010023  Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2019-9192     Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2019-1010022  Negligible  
libc-bin          2.31-13+deb11u3                  CVE-2010-4756     Negligible  
libc6             2.31-13+deb11u3                  CVE-2019-9192     Negligible  
libc6             2.31-13+deb11u3                  CVE-2019-1010024  Negligible  
libc6             2.31-13+deb11u3                  CVE-2019-1010023  Negligible  
libc6             2.31-13+deb11u3                  CVE-2019-1010025  Negligible  
libc6             2.31-13+deb11u3     (won't fix)  CVE-2021-3999     Unknown     
libc6             2.31-13+deb11u3                  CVE-2019-1010022  Negligible  
libc6             2.31-13+deb11u3                  CVE-2010-4756     Negligible  
libc6             2.31-13+deb11u3                  CVE-2018-20796    Negligible  
libgcrypt20       1.8.7-6                          CVE-2018-6829     Negligible  
libgcrypt20       1.8.7-6             (won't fix)  CVE-2021-33560    High        
libgnutls30       3.7.1-5             (won't fix)  CVE-2021-4209     Unknown     
libgnutls30       3.7.1-5                          CVE-2011-3389     Medium      
libgssapi-krb5-2  1.18.3-6+deb11u1                 CVE-2018-5709     Negligible  
libgssapi-krb5-2  1.18.3-6+deb11u1                 CVE-2004-0971     Negligible  
libk5crypto3      1.18.3-6+deb11u1                 CVE-2018-5709     Negligible  
libk5crypto3      1.18.3-6+deb11u1                 CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                 CVE-2018-5709     Negligible  
libkrb5-3         1.18.3-6+deb11u1                 CVE-2004-0971     Negligible  
libkrb5support0   1.18.3-6+deb11u1                 CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                 CVE-2004-0971     Negligible  
liblzma5          5.2.5-2                          CVE-2022-1271     Unknown     
libpcre3          2:8.39-13                        CVE-2019-20838    Negligible  
libpcre3          2:8.39-13                        CVE-2017-16231    Negligible  
libpcre3          2:8.39-13                        CVE-2017-7246     Negligible  
libpcre3          2:8.39-13                        CVE-2017-11164    Negligible  
libpcre3          2:8.39-13                        CVE-2017-7245     Negligible  
libsepol1         3.1-1               (won't fix)  CVE-2021-36086    Low         
libsepol1         3.1-1               (won't fix)  CVE-2021-36085    Low         
libsepol1         3.1-1               (won't fix)  CVE-2021-36084    Low         
libsepol1         3.1-1               (won't fix)  CVE-2021-36087    Low         
libssl1.1         1.1.1n-0+deb11u1                 CVE-2010-0928     Negligible  
libssl1.1         1.1.1n-0+deb11u1                 CVE-2007-6755     Negligible  
libsystemd0       247.3-7                          CVE-2013-4392     Negligible  
libsystemd0       247.3-7                          CVE-2020-13529    Negligible  
libudev1          247.3-7                          CVE-2020-13529    Negligible  
libudev1          247.3-7                          CVE-2013-4392     Negligible  
login             1:4.8.1-1                        CVE-2019-19882    Negligible  
login             1:4.8.1-1                        CVE-2013-4235     Negligible  
login             1:4.8.1-1                        CVE-2007-5686     Negligible  
passwd            1:4.8.1-1                        CVE-2007-5686     Negligible  
passwd            1:4.8.1-1                        CVE-2019-19882    Negligible  
passwd            1:4.8.1-1                        CVE-2013-4235     Negligible  
perl-base         5.32.1-4+deb11u2                 CVE-2011-4116     Negligible  
perl-base         5.32.1-4+deb11u2    (won't fix)  CVE-2020-16156    High        
tar               1.34+dfsg-1                      CVE-2005-2541     Negligible

vs

~/go/bin/grype k8s.gcr.io/build-image/debian-base:bullseye-v1.2.0 
NAME              INSTALLED           FIXED-IN                 VULNERABILITY     SEVERITY   
apt               2.2.4                                        CVE-2011-3374     Negligible  
bsdutils          1:2.36.1-8+deb11u1                           CVE-2022-0563     Negligible  
coreutils         8.32-4+b1           (won't fix)              CVE-2016-2781     Low         
coreutils         8.32-4+b1                                    CVE-2017-18018    Negligible  
gzip              1.10-4                                       CVE-2022-1271     Unknown     
libapt-pkg6.0     2.2.4                                        CVE-2011-3374     Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-9192     Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010025  Negligible  
libc-bin          2.31-13+deb11u3     (won't fix)              CVE-2021-3999     Unknown     
libc-bin          2.31-13+deb11u3                              CVE-2019-1010024  Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2010-4756     Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2018-20796    Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010022  Negligible  
libc-bin          2.31-13+deb11u3                              CVE-2019-1010023  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010022  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-9192     Negligible  
libc6             2.31-13+deb11u3     (won't fix)              CVE-2021-3999     Unknown     
libc6             2.31-13+deb11u3                              CVE-2019-1010025  Negligible  
libc6             2.31-13+deb11u3                              CVE-2018-20796    Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010024  Negligible  
libc6             2.31-13+deb11u3                              CVE-2019-1010023  Negligible  
libc6             2.31-13+deb11u3                              CVE-2010-4756     Negligible  
libgcrypt20       1.8.7-6                                      CVE-2018-6829     Negligible  
libgcrypt20       1.8.7-6             (won't fix)              CVE-2021-33560    High        
libgnutls30       3.7.1-5                                      CVE-2011-3389     Medium      
libgnutls30       3.7.1-5             (won't fix)              CVE-2021-4209     Unknown     
libgssapi-krb5-2  1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libgssapi-krb5-2  1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libk5crypto3      1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libk5crypto3      1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libkrb5-3         1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
libkrb5support0   1.18.3-6+deb11u1                             CVE-2004-0971     Negligible  
libkrb5support0   1.18.3-6+deb11u1                             CVE-2018-5709     Negligible  
liblzma5          5.2.5-2                                      CVE-2022-1271     Unknown     
libpcre3          2:8.39-13                                    CVE-2019-20838    Negligible  
libpcre3          2:8.39-13                                    CVE-2017-7245     Negligible  
libpcre3          2:8.39-13                                    CVE-2017-11164    Negligible  
libpcre3          2:8.39-13                                    CVE-2017-16231    Negligible  
libpcre3          2:8.39-13                                    CVE-2017-7246     Negligible  
libsepol1         3.1-1               (won't fix)              CVE-2021-36085    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36087    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36084    Low         
libsepol1         3.1-1               (won't fix)              CVE-2021-36086    Low         
libssl1.1         1.1.1n-0+deb11u1                             CVE-2007-6755     Negligible  
libssl1.1         1.1.1n-0+deb11u1                             CVE-2010-0928     Negligible  
libsystemd0       247.3-7                                      CVE-2020-13529    Negligible  
libsystemd0       247.3-7                                      CVE-2013-4392     Negligible  
libudev1          247.3-7                                      CVE-2013-4392     Negligible  
libudev1          247.3-7                                      CVE-2020-13529    Negligible  
login             1:4.8.1-1                                    CVE-2019-19882    Negligible  
login             1:4.8.1-1                                    CVE-2007-5686     Negligible  
login             1:4.8.1-1                                    CVE-2013-4235     Negligible  
passwd            1:4.8.1-1                                    CVE-2019-19882    Negligible  
passwd            1:4.8.1-1                                    CVE-2007-5686     Negligible  
passwd            1:4.8.1-1                                    CVE-2013-4235     Negligible  
perl-base         5.32.1-4+deb11u2                             CVE-2011-4116     Negligible  
perl-base         5.32.1-4+deb11u2    (won't fix)              CVE-2020-16156    High        
tar               1.34+dfsg-1                                  CVE-2005-2541     Negligible  
zlib1g            1:1.2.11.dfsg-2     1:1.2.11.dfsg-2+deb11u1  CVE-2018-25032    High

@serathius
Copy link
Member

With critical issues present in current image we should consider adding this to v3.5.3, however:

  • What's the difference between k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 and k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0-apt-get you did image analysis and why in Dockerfiles we are not using them?
  • Could you link a Dockerfile for k8s images so we can understand if there are some obvious breaking changes?

@mrueg
Copy link
Contributor Author

mrueg commented Apr 11, 2022
edited
Loading

k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0-apt-get got built on my local machine and was taking the k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 base image and run apt-get update && apt-get upgrade -yy during build.
The plan for this change is to move etcd back to the k8s.gcr.io/debian-base containers which it was using before, that's why they are used as a comparison.

See this about k8s.gcr.io debian-base containers:
https://github.com/kubernetes/release/blob/d41c86508aac7f0b6d5f701fb2f6d3ae29bf35e0/images/build/debian-base/README.md

etcd was using it before: bad9a52 so I don't expect any breakage.
See also: #13376

CC @justaugustus or someone else from the k8s release team might be able to provide more context if needed.

@serathius
Copy link
Member

k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0-apt-get got built on my local machine and was taking the k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 base image and run apt-get update && apt-get upgrade -yy during build. The plan for this change is to move etcd back to the k8s.gcr.io/debian-base containers which it was using before, that's why they are used as a comparison.

So k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 has only minimal benefits over debian:bullseye-20210927 (4 medium fixed when there are 6 critical). As we don't run apt-get in our release scripts, the image change doesn't matter here.

Could we maybe ask K8s release folks to release k8s.gcr.io/build-image/debian-base:bullseye-v1.1.1 with critical issues addressed?

@justaugustus
Copy link
Contributor

Could we maybe ask K8s release folks to release k8s.gcr.io/build-image/debian-base:bullseye-v1.1.1 with critical issues addressed?

We can certainly help out w/ that!
Will track in kubernetes/release#2409.

@serathius
Copy link
Member

As there was no progress from February I don't think new image will be ready for v3.5.3 which is expected within days (if nothing new pops up). Based on that I don't think it makes sense to block v3.5.3 on this.

@mrueg
Copy link
Contributor Author

mrueg commented Apr 12, 2022
edited
Loading

Alternatively, we should consider upgrading to at least debian:bullseye-20220328, I've added it to the table above.

@serathius
Copy link
Member

Makes sense, our goal should be providing images with least amount of vulnerabilities. Based on that I don't see any benefits from using k8s image until they push new image. On the other hand switching to debian:bullseye-20220328 makes sense.

@justaugustus
Copy link
Contributor

As there was no progress from February I don't think new image will be ready for v3.5.3 which is expected within days (if nothing new pops up). Based on that I don't think it makes sense to block v3.5.3 on this.

Just a note that the latest debian-base from Kubernetes is k8s.gcr.io/build-image/debian-base:bullseye-v1.2.0.

Can you scan against that?

@mrueg
Dockerfile-release.*: Update base image snapshot
6095cf8 
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
@mrueg
Copy link
Contributor Author

mrueg commented Apr 12, 2022
edited
Loading

As there was no progress from February I don't think new image will be ready for v3.5.3 which is expected within days (if nothing new pops up). Based on that I don't think it makes sense to block v3.5.3 on this.

Just a note that the latest debian-base from Kubernetes is k8s.gcr.io/build-image/debian-base:bullseye-v1.2.0.

Can you scan against that?

Done, I added it to the table above.

In the mean time I switched to a more recent debian:bullseye snapshot, happy to switch back to the k8s hosted one.

@serathius
Copy link
Member

I think this is good enough improvement for v3.5.3. Please add a release note in a separate PR.

@serathius serathius merged commit cd750e4 into etcd-io:release-3.5 Apr 12, 2022
mrueg added a commit to mrueg/etcd that referenced this pull request Apr 12, 2022
@mrueg
CHANGELOG-3.5: Add etcd-io#13862
278e607 
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
@mrueg mrueg mentioned this pull request Apr 12, 2022
Merged
mrueg added a commit to mrueg/etcd that referenced this pull request Apr 12, 2022
@mrueg
CHANGELOG-3.5: Add etcd-io#13862
d7e498a 
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
serathius added a commit that referenced this pull request Apr 12, 2022
@serathius
Merge pull request #13935 from mrueg/update-changelog-3.5.3
3a239f7 
CHANGELOG-3.5: Add #13862
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptabor ptabor ptabor approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mrueg @serathius @justaugustus @ptabor