Skip to content

Commit 7a9361a

Browse files
elelayshelelaysh
committed
Dependencies updated or ignored for CVE vulnerabilities
- bump cadvisor to 0.56.2 - Ignore CVE-2024-24790 in prometheus mtail exporter control plane is trusted - Bump grafana to 12.3.3 to fix CVE-2025-68121 grafana server 12.3.3 is fixed but the opensearch-datasource plugin is still affected. - Bump etcd to 3.5.27 to fix CVE-2025-68121 - Ignore CVE-2025-68121 for prometheus images - server-side: exporters and server are not listening with tls - as client: only querying known services - Ignore CVE-2025-68121 for influxdb No new version is available and it runs on a secure network - Ignore CVE-2025-68121 for letsencrypt-lego it only talks to known servers - Ignore CVE-2025-68121 for neutron it is the docker client that triggers it and we don't speak to remote docker over tls
1 parent 92ec1f4 commit 7a9361a

File tree

3 files changed

+51
-5
lines changed

3 files changed

+51
-5
lines changed

etc/kayobe/kolla/kolla-build.conf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@ location = https://github.com/stackhpc/requirements
1919
reference = stackhpc/{{ openstack_release }}
2020

2121
[etcd]
22-
version = 3.5.21
23-
sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c,arm64:95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f
22+
version = 3.5.27
23+
sha256 = amd64:0aad9a9e4e0817a021e933f9806a2b2960a62f949ad5a3d6436d8886945cb1bc,arm64:1277309f540c5a0329c428f95455c9f76d24f768c8d28fd2753e891c379053fa
2424

2525
[letsencrypt-lego]
2626
version = v4.23.1
@@ -32,5 +32,5 @@ sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce,
3232

3333
# TODO: move to kolla_sources in kolla.yml once https://review.opendev.org/c/openstack/kayobe/+/970268 is available
3434
[prometheus-cadvisor]
35-
version = 0.54.1
36-
sha256 = amd64:21be8d2797433048474e676d37c215c28fb171509448ef9b1c4648a564e39595,arm64:21f7bac786f6c53a8091964b4d3ff2486a0c460e5a410000b59a9a565b4183a9
35+
version = 0.56.2
36+
sha256 = amd64:ad92930f16a2f9da15190675e09eeaceb8fd38637d07a686bb0dd68695f692af,arm64:b7a707379496fd7a7b5d2768c5c494427112f534ba5069f889af28ffe6ad11bb

etc/kayobe/pulp-repo-versions.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ stackhpc_pulp_repo_elrepo_9_aarch64_version: 20250408T030629
2525
stackhpc_pulp_repo_elrepo_9_version: 20260127T212055
2626
stackhpc_pulp_repo_epel_9_aarch64_version: 20260204T223146
2727
stackhpc_pulp_repo_epel_9_version: 20260204T220346
28-
stackhpc_pulp_repo_grafana_version: 20260204T212232
28+
stackhpc_pulp_repo_grafana_version: 20260214T213531
2929
stackhpc_pulp_repo_opensearch_2_x_version: 20251106T202313
3030
stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20251106T202313
3131
stackhpc_pulp_repo_rhel9_rabbitmq_erlang_26_aarch64_version: 20260112T224827

etc/kayobe/trivy/allowed-vulnerabilities.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,33 +16,79 @@ fluentd_allowed_vulnerabilities:
1616
- CVE-2024-27280
1717
grafana_allowed_vulnerabilities:
1818
- CVE-2024-8986
19+
- CVE-2025-68121 # the opensearch datasource plugin is still vulnerable
1920
influxdb_allowed_vulnerabilities:
2021
- CVE-2024-45337
22+
- CVE-2025-68121
23+
ironic_neutron_agent_allowed_vulnerabilities:
24+
- CVE-2025-68121
25+
letsencrypt_lego_allowed_vulnerabilities:
26+
- CVE-2025-68121
2127
magnum_conductor_allowed_vulnerabilities:
2228
- CVE-2024-45337
29+
- CVE-2025-68121
30+
neutron_base_allowed_vulnerabilities:
31+
- CVE-2025-68121
32+
neutron_bgp_dragent_allowed_vulnerabilities:
33+
- CVE-2025-68121
34+
neutron_dhcp_agent_allowed_vulnerabilities:
35+
- CVE-2025-68121
36+
neutron_l3_agent_allowed_vulnerabilities:
37+
- CVE-2025-68121
38+
neutron_linuxbridge_agent_allowed_vulnerabilities:
39+
- CVE-2025-68121
40+
neutron_metadata_agent_allowed_vulnerabilities:
41+
- CVE-2025-68121
42+
neutron_mlnx_agent_allowed_vulnerabilities:
43+
- CVE-2025-68121
44+
neutron_openvswitch_agent_allowed_vulnerabilities:
45+
- CVE-2025-68121
46+
neutron_ovn_agent_allowed_vulnerabilities:
47+
- CVE-2025-68121
48+
neutron_server_allowed_vulnerabilities:
49+
- CVE-2025-68121
50+
neutron_sriov_agent_allowed_vulnerabilities:
51+
- CVE-2025-68121
2352
opensearch_dashboards_allowed_vulnerabilities:
2453
- CVE-2025-68428
54+
prometheus_alertmanager_allowed_vulnerabilities:
55+
- CVE-2025-68121
2556
prometheus_blackbox_exporter_allowed_vulnerabilities:
2657
- CVE-2024-24790
2758
- CVE-2024-45337
59+
- CVE-2025-68121
2860
prometheus_memcached_exporter_allowed_vulnerabilities:
2961
- CVE-2024-45337
62+
- CVE-2025-68121
3063
prometheus_mysqld_exporter_allowed_vulnerabilities:
3164
- CVE-2024-45337
65+
- CVE-2025-68121
3266
prometheus_elasticsearch_exporter_allowed_vulnerabilities:
3367
- CVE-2024-45337
68+
- CVE-2025-68121
3469
prometheus_node_exporter_allowed_vulnerabilities:
3570
- CVE-2024-45337
71+
- CVE-2025-68121
3672
prometheus_openstack_exporter_allowed_vulnerabilities:
3773
- CVE-2024-24790
3874
- CVE-2024-45337
75+
- CVE-2025-68121
3976
prometheus_ovn_exporter_allowed_vulnerabilities:
4077
- CVE-2024-24790
78+
- CVE-2025-68121
4179
prometheus_libvirt_exporter_allowed_vulnerabilities:
4280
- CVE-2024-45337
81+
- CVE-2025-68121
4382
prometheus_cadvisor_allowed_vulnerabilities:
4483
- CVE-2024-41110
4584
- CVE-2024-45337
85+
- CVE-2025-68121
86+
prometheus_mtail_allowed_vulnerabilities:
87+
- CVE-2024-24790
88+
- CVE-2025-68121
89+
prometheus_v2_server_allowed_vulnerabilities:
90+
- CVE-2024-45337
91+
- CVE-2025-68121
4692

4793
###############################################################################
4894
# Dummy variable to allow Ansible to accept this file.

0 commit comments

Comments
 (0)