Skip to content

[release-1.34] Fix CVEs: debian-base bookworm-v1.0.8 and prometheus/prometheus v0.311.3#1309

Open
hakman wants to merge 2 commits into
kubernetes:release-1.34from
hakman:fix-cves-release-1.34
Open

[release-1.34] Fix CVEs: debian-base bookworm-v1.0.8 and prometheus/prometheus v0.311.3#1309
hakman wants to merge 2 commits into
kubernetes:release-1.34from
hakman:fix-cves-release-1.34

Conversation

@hakman

@hakman hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member

Fixes the actionable CVEs found by Trivy / Docker Scout scans of the release-1.34 post-submit image (gcr.io/k8s-staging-npd/node-problem-detector:release-1.34).

1. Cherry-pick the debian-base bump to bookworm-v1.0.8 from master — all fixable OS-level CRITICAL/HIGH findings come from bookworm-v1.0.7:

2. Re-bump github.com/prometheus/prometheus to v0.311.3 — the bump from 98e831b ("Fix Grype CVEs") was unintentionally reverted back to v0.35.0 by the go.mod conflict resolution in f844870, reintroducing CVE-2026-42154 (High), CVE-2026-40179 and CVE-2026-44903 (Medium). release-1.35 and master already ship v0.311.3.

prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, so the k8s.io modules are pinned back to v0.34.1 via replace directives (allow-listed for the gomoddirectives linter). The pinned versions are what the binaries are built with and what gets recorded in their build info.

Update base image to debian-base:bookworm-v1.0.8 and github.com/prometheus/prometheus to v0.311.3 to fix CVEs

Bumps build-image/debian-base from bookworm-v1.0.7 to bookworm-v1.0.8.

---
updated-dependencies:
- dependency-name: build-image/debian-base
  dependency-version: bookworm-v1.0.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 1d01ffa)
@kubernetes-prow kubernetes-prow Bot added this to the v1.34 milestone Jul 11, 2026
@kubernetes-prow kubernetes-prow Bot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 11, 2026
@kubernetes-prow kubernetes-prow Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 11, 2026
@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

/cc @ameukam @upodroid

@kubernetes-prow kubernetes-prow Bot requested review from ameukam and upodroid July 11, 2026 07:48
@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

/retest

1 similar comment
@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

/retest

@kubernetes-prow kubernetes-prow Bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 11, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman, upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 11, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, so the k8s.io modules are pinned back to v0.34.1 via replace directives. The 3.5 LTS backport (v0.305.2) would avoid the pins, but is affected by CVE-2026-42151 (fixed only in v0.311.3), so it would just swap one HIGH finding for another.

@hakman hakman force-pushed the fix-cves-release-1.34 branch from 1a6a21f to da25db2 Compare July 11, 2026 11:37
The bump to v0.311.3 from commit 98e831b ("Fix Grype CVEs: update
logrus and prometheus/prometheus") was unintentionally reverted to
v0.35.0 by the go.mod conflict resolution in commit f844870 ("Run go
mod tidy and adapt to prometheus/common v0.67 API").

Re-apply it to fix CVE-2026-42154 (High), CVE-2026-40179 and
CVE-2026-44903 (Medium).

prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x,
which would drag the k8s.io modules past the v0.34 line this branch
must stay on. Pin k8s.io/api, k8s.io/apimachinery and k8s.io/client-go
back to v0.34.1 with replace directives in both the root and test
modules, so the built binaries keep using v0.34.1 (the replacement is
also what gets recorded in the binary build info).

The only prometheus/prometheus package linked into the NPD binaries is
model/value, so none of the k8s-facing prometheus code is compiled.
@hakman hakman force-pushed the fix-cves-release-1.34 branch from da25db2 to 6097eab Compare July 11, 2026 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants