Policy on Handling CVEs in Helm Charts

Slack Knowledge Base Q&A Platform Questions
, , , ,
1

Summary

The user is inquiring about the patch policy for critical CVEs found in default images on recent versions of Helm charts and the general policy for addressing CVE fixes. They are willing to file a GitHub issue for tracking.


Question

hello - I have picked up on several cataloged critical CVEs present in the images provided as defaults on the last few versions of helm charts. i am wondering what the patch policy is for these, and the policy around CVE fixes in general? i am happy to file a github issue as well, if that is easier for tracking
https://nvd.nist.gov/vuln/detail/CVE-2024-1597|https://nvd.nist.gov/vuln/detail/CVE-2024-1597
https://nvd.nist.gov/vuln/detail/CVE-2022-48174|https://nvd.nist.gov/vuln/detail/CVE-2022-48174
https://nvd.nist.gov/vuln/detail/CVE-2022-37434|https://nvd.nist.gov/vuln/detail/CVE-2022-37434
https://nvd.nist.gov/vuln/detail/CVE-2023-38545|https://nvd.nist.gov/vuln/detail/CVE-2023-38545
https://nvd.nist.gov/vuln/detail/CVE-2023-23914|https://nvd.nist.gov/vuln/detail/CVE-2023-23914
https://nvd.nist.gov/vuln/detail/CVE-2019-8457|https://nvd.nist.gov/vuln/detail/CVE-2019-8457
https://nvd.nist.gov/vuln/detail/CVE-2023-45853|https://nvd.nist.gov/vuln/detail/CVE-2023-45853
the first appears to be coming from the java base image used to build the airbyte images, and the middle 2 are from the socat, busybox, and curl images configured for jobs, the fourth from temporal auto-setup, and the last 3 from the kubectl image


This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. Click here if you want to access the original thread.

Join the conversation on Slack

["patch-policy", "cve-fixes", "helm-charts", "default-images", "github-issue", "java-base-image", "socat", "busybox", "curl", "temporal-auto-setup", "kubectl-image"]
2

<@U04197GAK9R> is this something in the plans for the deployment team to work on in near future?

3

i’d also appreciate some info about historical version support / for how long after each release Airbyte supports bug fixes and security patches? i cannot seem to find any information on your website about it.

in my case specifically, im using 0.50.52, so i’d like to know whether the expectation is I that i must upgrade to the latest version to get fixes, or if you would port those fixes back to v0.50 as well

4

hi - wanted to check in again on this?

5

<@U02TQLBLDU4> <@U04197GAK9R> can i get another comment on this? your policies and procedures in this regard, if any, are a huge consideration into our practical adoption of this software

based on the fact these are critical cves spanning the last 5 years, my running assumption is that you don’t scan for them nor fix them on a regular basis, let alone backport