libcurl 8.2.1-rc0 - CVE-2023-38039

[pgr-josh-wells]

Hello,
libcurl 8.2.1-rc0 as implemented in kustomize-controller:v1.1.0 contains CVE-2023-38039.
https://nvd.nist.gov/vuln/detail/CVE-2023-38039

This is fixed in libcurl 8.3.0-rc0

Apologies for redundancy if this has been handled. Please close if necessary.

[stefanprodan]

Flux doesn't uses libcurl

[pgr-josh-wells]

Flux doesn't uses libcurl

Yes, but the published container image contains the package. From build utilities, base image, or as a transient dependency?

[makkes]

libcurl is part of the Alpine base image we're using to build our controllers. Alpine has already updated libcurl so the fix will likely be included in the next kustomize-controller release.

Please be advised that this is a false positive because Flux doesn't use libcurl, as Stefan noted. Flux is not affected by the CVE you linked above so there is no need to rush a release.

[s-bauer]

Yea that's the issue with most of the scanners/defenders for kubernetes. They obviously report everything and can't understand what is actually used or not. There are a total of 4 issues reported in my scanner at the moment:

• curl vulnerability - doesn't affect flux, fixed with a rebuild
• logrus v1.9.0 denial of service - Dependabot already updated that one, just needs a release - Error while reading from Writer: bufio.Scanner: token too long sirupsen/logrus#1370
• filepath-securejoin - Dependabot already updated that one, just needs a release - GHSA-6xv5-86q9-7xr8
• go vulnerabilities in 1.20.7 - should be fixed with a rebuild (I think, or does it need to be set in go.mod? Haven't touched go in a while)

Overall nothing serious, but could justify a release, especially since the last one is already a month old.

[makkes]

For anyone in search of a CVE-free Flux build, Weaveworks offers this as Weave GitOps Assured. That offering comes with certain SLAs around CVE-free builds and more: https://www.weave.works/product/gitops/