fix vunerabilities #983

sanjaykkr · 2025-03-24T09:29:12Z

Fix Vulnerabilties

upgraded alpine version from 3.18.5 to 3.21.3

How to use

Before the change

2025-03-24T14:52:27+05:30       INFO    Vulnerability scanning is enabled
2025-03-24T14:52:27+05:30       INFO    Detected OS     family="alpine" version="3.18.5"
2025-03-24T14:52:27+05:30       INFO    [alpine] Detecting vulnerabilities...   os_version="3.18" repository="3.18" pkg_num=17
2025-03-24T14:52:27+05:30       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.53/docs/scanner/vulnerability#severity-selection for details.

testing/flatcar/nebraska:latest (alpine 3.18.5)

Total: 32 (LOW: 4, MEDIUM: 28, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42363 │ MEDIUM   │ fixed  │ 1.36.1-r5         │ 1.36.1-r7     │ busybox: use-after-free in awk                              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                  │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                  │
├───────────────┼────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2023-42363 │          │        │                   │ 1.36.1-r7     │ busybox: use-after-free in awk                              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                  │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                  │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2023-6129  │          │        │ 3.1.4-r1          │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector        │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-13176 │          │        │                   │ 3.1.8-r0      │ openssl: Timing side-channel in ECDSA signature computation │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4603  │          │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and         │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4741  │          │        │                   │ 3.1.6-r0      │ openssl: Use After Free with SSL_free_buffers               │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741                   │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-5535  │          │        │                   │               │ openssl: SSL_select_next_proto buffer overread              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-5535                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-6119  │          │        │                   │ 3.1.7-r0      │ openssl: Possible denial of service in X.509 name checks    │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in   │
│               │                │          │        │                   │               │ TLSv1.3                                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-9143  │          │        │                   │ 3.1.7-r1      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB   │
│               │                │          │        │                   │               │ memory access                                               │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                   │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2023-6129  │ MEDIUM   │        │                   │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector        │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-13176 │          │        │                   │ 3.1.8-r0      │ openssl: Timing side-channel in ECDSA signature computation │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4603  │          │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and         │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4741  │          │        │                   │ 3.1.6-r0      │ openssl: Use After Free with SSL_free_buffers               │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741                   │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-5535  │          │        │                   │               │ openssl: SSL_select_next_proto buffer overread              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-5535                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-6119  │          │        │                   │ 3.1.7-r0      │ openssl: Possible denial of service in X.509 name checks    │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in   │
│               │                │          │        │                   │               │ TLSv1.3                                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-9143  │          │        │                   │ 3.1.7-r1      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB   │
│               │                │          │        │                   │               │ memory access                                               │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                   │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42363 │ MEDIUM   │        │ 1.36.1-r5         │ 1.36.1-r7     │ busybox: use-after-free in awk                              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                  │
│               ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                  │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                  │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

After the change

2025-03-24T14:53:46+05:30       INFO    Vulnerability scanning is enabled
2025-03-24T14:53:46+05:30       INFO    Detected OS     family="alpine" version="3.21.3"
2025-03-24T14:53:46+05:30       WARN    This OS version is not on the EOL list  family="alpine" version="3.21"
2025-03-24T14:53:46+05:30       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=17

testing/flatcar/nebraska:latest (alpine 3.21.3)

Total: 0 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

sanjaykkr · 2025-03-24T09:30:59Z

@ErvinRacz, could u pls review and approve this PR?

sanjaykkr · 2025-03-24T12:50:51Z

@ErvinRacz, when can I get the next version for this image? I would need secure image of nebraska for compliance reasons

ervcz · 2025-03-25T09:21:05Z

@ErvinRacz, when can I get the next version for this image? I would need secure image of nebraska for compliance reasons

Hello @sanjaykkr! thanks for reaching out and the contribution! We don’t have a set release schedule for Nebraska yet as we are currently doing some work on the infra, but we can plan to push a new release in about two weeks - hoping that would work for you too.

Otherwise you can always build an image yourself from any branch, but you have to be mindful that only the released versions went through systematic manual testing too.

sanjaykkr · 2025-03-25T09:25:10Z

@ErvinRacz, Lets have a release in about 2 weeks. that should be really helpful. Thanks for your reply. Pls let me know once released or if any release date is planned.

sanjaykkr · 2025-04-08T08:13:27Z

@ErvinRacz / @justdan96, can we release the latest image with these changes?

ervcz · 2025-04-08T09:59:16Z

Hello @sanjaykkr, thank you for the reminder. Yes, we can try to make a release this week. A staging build is already created with your changes, and it is testable: docker pull ghcr.io/flatcar/nebraska:staging

sanjaykkr · 2025-04-14T15:48:22Z

hey @ErvinRacz, could u pls release the latest image with this image? waiting for consumption !

ervcz · 2025-04-15T15:05:24Z

Hello @sanjaykkr, @justdan96 please find the latest release at

and thank you very much for your contribution!

fix vunerabilities

bb008df

ervcz merged commit 3e342fc into flatcar:main Mar 24, 2025
1 check passed

github-actions bot mentioned this pull request Apr 22, 2025

Monthly contributions report 2025-03-22 - 2025-04-21 flatcar/Flatcar#1725

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix vunerabilities #983

fix vunerabilities #983

Uh oh!

sanjaykkr commented Mar 24, 2025

Uh oh!

sanjaykkr commented Mar 24, 2025

Uh oh!

Uh oh!

sanjaykkr commented Mar 24, 2025

Uh oh!

ervcz commented Mar 25, 2025 •

edited

Loading

Uh oh!

sanjaykkr commented Mar 25, 2025 •

edited

Loading

Uh oh!

sanjaykkr commented Apr 8, 2025

Uh oh!

ervcz commented Apr 8, 2025

Uh oh!

sanjaykkr commented Apr 14, 2025

Uh oh!

ervcz commented Apr 15, 2025 •

edited

Loading

Uh oh!

Uh oh!

fix vunerabilities #983

fix vunerabilities #983

Uh oh!

Conversation

sanjaykkr commented Mar 24, 2025

Fix Vulnerabilties

How to use

Testing done

Uh oh!

sanjaykkr commented Mar 24, 2025

Uh oh!

Uh oh!

sanjaykkr commented Mar 24, 2025

Uh oh!

ervcz commented Mar 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sanjaykkr commented Mar 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sanjaykkr commented Apr 8, 2025

Uh oh!

ervcz commented Apr 8, 2025

Uh oh!

sanjaykkr commented Apr 14, 2025

Uh oh!

ervcz commented Apr 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

ervcz commented Mar 25, 2025 •

edited

Loading

sanjaykkr commented Mar 25, 2025 •

edited

Loading

ervcz commented Apr 15, 2025 •

edited

Loading