A couple of CVEs in dns-node-cache 1.23.1

[golibali]

Our vurnerablilty scan reported, that the k8s-dns-node-cache image is vurnerable. Probably the base image has the issues:

• CVE-2023-5678
• CVE-2023-6129
• CVE-2023-6237
• CVE-2024-0727
• CVE-2024-2511
• CVE-2024-4603
• CVE-2024-4741
• CVE-2024-6119
• CVE-2024-9143

All of them is about a vurnerable libssl3 package (3.0.11-1~deb12u2)
Fix version is: 3.0.15-1~deb12u1

[dereknola]

A new release is desperately needed. I recently fixed the CI and bumped some dependencies, but this repo lack maintainers right now.

[golibali]

Thank you @dereknola ! I don't have right to create new release. Do you have, and if yes, can you create a new one?

[DamianSawicki]

I just cut a new release today https://github.com/kubernetes/dns/releases/tag/1.24.0.

[cwayne18]

thank you @DamianSawicki! If you all are looking for some help maintaining this repo we would love to help out

[golibali]

Thank you @DamianSawicki !

[golibali]

@DamianSawicki could you create a docker image from the new release as well?

[DamianSawicki]

@DamianSawicki could you create a docker image from the new release as well?

Yes, I didn't do that yesterday because I needed to wait for the images to be built and pushed (https://testgrid.k8s.io/sig-network-dns#dns-push-images).

[DamianSawicki]

I've created

• Promote kubedns 1.24.0 k8s.io#7607 and
• Bump kubedns and nodelocaldns to 1.24.0 kubernetes#129175

[golibali]

Thank @DamianSawicki again!

The docker image is available now:

$> docker pull registry.k8s.io/dns/k8s-dns-node-cache:1.24.0
1.24.0: Pulling from dns/k8s-dns-node-cache
9e671998c23c: Pull complete 
8229691059b3: Pull complete 
Digest: sha256:4948bbaba73cf692398586ba1853b2ac8a7d6360e937371468d4780f90774f37
Status: Downloaded newer image for registry.k8s.io/dns/k8s-dns-node-cache:1.24.0
registry.k8s.io/dns/k8s-dns-node-cache:1.24.0