Skip to content

[cloud-provider-yandex] fixed CVE #16611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aleksey-su merged 9 commits into from
Dec 1, 2025
Merged

[cloud-provider-yandex] fixed CVE #16611

aleksey-su merged 9 commits into from
Dec 1, 2025

Conversation

@xhable137
Copy link
Contributor

@xhable137 xhable137 commented Nov 21, 2025
edited
Loading

Description

Fixed CVE

This PR updates dependencies used in all Yandex cloud-provider components to fix previously identified CVEs.
After updating the modules and rebuilding the images, all cloudProviderYandex artifacts (cloud-controller-manager, cloud-data-discoverer, cloud-migrator, metrics-exporter, and yandex-csi-plugin) were rescanned with Trivy.
According to the latest scan results:
All CVEs that were previously detected in Yandex components have been fully resolved.
All five Yandex module reports now contain no vulnerabilities at all, confirming that the dependency updates were applied correctly.

Why do we need it, and what problem does it solve?

Removes HIGH-severity CVEs detected by Trivy in the cloudProviderYandex module.
Ensures the Yandex provider remains compliant with Deckhouse’s security baseline.
Aligns the module with patched versions of Go libraries (jwt, x/net, x/oauth2, x/crypto).
Eliminates false-positives in CI and restores a clean security state for all Yandex images.

Why do we need it in the patch release (if we do)?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: cloud-provider-yandex
type: fix 
summary: cloud-provider-yandex CVE's was fixed
impact_level: default

[cloud-provider-yandex] fixed CVE
71f7f1f 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
@xhable137 xhable137 added this to the v1.75.0 milestone Nov 21, 2025
@github-actions github-actions bot added the area/cloud-provider Pull requests that update cloud providers modules label Nov 21, 2025
@xhable137 xhable137 added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 21, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 21, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:yandex_fix_cve succeeded in 38m41s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@158.160.120.216

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 37m30s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 21, 2025
@xhable137 xhable137 added the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 21, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 21, 2025
edited
Loading

🔴 Trivy CVE scan on PR for deckhouse:yandex_fix_cve failed.

Workflow details (1 job failed)

🔴 Trivy scan dev images failed.

@github-actions github-actions bot added security/cve/failed and removed security/cve Run Trivy CVE Scan for Dev images on PR labels Nov 21, 2025
[cloud-provider-yandex] fixed CVE
44b9ae3 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
@xhable137 xhable137 added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 24, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 24, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:yandex_fix_cve succeeded in 39m11s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@178.154.204.74

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 37m57s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 24, 2025
@xhable137 xhable137 added the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 24, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 24, 2025
edited
Loading

🟢 Trivy CVE scan on PR for deckhouse:yandex_fix_cve succeeded.

Workflow details

🟢 Trivy scan dev images succeeded.

@github-actions github-actions bot added security/cve/success and removed security/cve Run Trivy CVE Scan for Dev images on PR labels Nov 24, 2025
@xhable137 xhable137 added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 24, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 24, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:yandex_fix_cve succeeded in 36m26s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@178.154.201.213

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 35m16s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 24, 2025
@xhable137 xhable137 added the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 24, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 24, 2025
edited
Loading

🟢 Trivy CVE scan on PR for deckhouse:yandex_fix_cve succeeded.

Workflow details

🟢 Trivy scan dev images succeeded.

@github-actions github-actions bot removed the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 24, 2025
[cloud-provider-yandex] fixed CVE
489cd39 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
@github-actions github-actions bot added the type/dependencies Pull requests that update a dependency file label Nov 24, 2025
[cloud-provider-yandex] fixed CVE
454a439 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
@xhable137 xhable137 added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 24, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 24, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:yandex_fix_cve succeeded in 41m21s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@84.201.135.127

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 39m57s.

Artem Darmanyan added 2 commits November 26, 2025 14:11
[cloud-provider-yandex] changed version in werf files
5af59bf 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
[cloud-provider-yandex] changed version in werf files
34be0ac 
Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
@xhable137 xhable137 added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 26, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 26, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:yandex_fix_cve succeeded in 42m12s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@84.252.129.46

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 40m55s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Nov 26, 2025
@xhable137 xhable137 added the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 26, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Nov 26, 2025
edited
Loading

🟢 Trivy CVE scan on PR for deckhouse:yandex_fix_cve succeeded.

Workflow details

🟢 Trivy scan dev images succeeded.

@github-actions github-actions bot removed the security/cve Run Trivy CVE Scan for Dev images on PR label Nov 26, 2025
@xhable137 xhable137 marked this pull request as ready for review November 28, 2025 13:58
@aleksey-su aleksey-su modified the milestones: v1.75.0, v1.73.8 Dec 1, 2025
@aleksey-su aleksey-su added status/backport Cherry-pick PR to the release branch from the Milestone and removed security/cve/failed labels Dec 1, 2025
@aleksey-su aleksey-su merged commit 0fc9370 into main Dec 1, 2025
118 checks passed
@aleksey-su aleksey-su deleted the yandex_fix_cve branch December 1, 2025 09:27
github-actions bot pushed a commit that referenced this pull request Dec 1, 2025
@xhable137 @aleksey-su
[cloud-provider-yandex] fixed CVE (#16611)
510d86a 
---------

Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
Co-authored-by: Artem Darmanyan <artem.darmanyan@flant.com>
@deckhouse-BOaTswain deckhouse-BOaTswain removed the status/backport Cherry-pick PR to the release branch from the Milestone label Dec 1, 2025
deckhouse-BOaTswain added a commit that referenced this pull request Dec 1, 2025
@deckhouse-BOaTswain @xhable137
[cloud-provider-yandex] fixed CVE (#16611) (#16769)
365eb47 
---------

Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
Co-authored-by: xhable137 <40263246+xhable137@users.noreply.github.com>
Co-authored-by: Artem Darmanyan <artem.darmanyan@flant.com>
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Dec 1, 2025

Cherry pick PR 16769 to the branch release-1.73 successful!

@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Dec 1, 2025
Merged
@Taior
Copy link
Member

Taior commented Dec 1, 2025

/backport 1.74

github-actions bot pushed a commit that referenced this pull request Dec 1, 2025
@xhable137 @Taior
[cloud-provider-yandex] fixed CVE (#16611)
add22fb 
---------

Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
Co-authored-by: Artem Darmanyan <artem.darmanyan@flant.com>
deckhouse-BOaTswain added a commit that referenced this pull request Dec 1, 2025
@deckhouse-BOaTswain @xhable137
[cloud-provider-yandex] fixed CVE (#16611) (#16783)
19a446d 
---------

Signed-off-by: Artem Darmanyan <artem.darmanyan@flant.com>
Co-authored-by: xhable137 <40263246+xhable137@users.noreply.github.com>
Co-authored-by: Artem Darmanyan <artem.darmanyan@flant.com>
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Dec 1, 2025

Cherry pick PR 16783 to the branch release-1.74 successful!

@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Dec 2, 2025
Merged
This was referenced Dec 30, 2025
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aleksey-su aleksey-su aleksey-su approved these changes

Assignees

@xhable137 xhable137

Labels

area/cloud-provider Pull requests that update cloud providers modules security/cve/success status/backport/success type/dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

v1.73.8

Development

Successfully merging this pull request may close these issues.

5 participants

@xhable137 @deckhouse-BOaTswain @Taior @aleksey-su