We're using traefik in our k8s and would like to know if the current vulnerabilities showing in this last image will be addressed soon. Thanks in advance.
It looks like version 2.10.5 was just released, but with the same hashicorp/consul 1.10.12 version which has vulnerabilities. I'm curious why this hasn't been updated for so long. It's been months.
You asking here on the forum indicates that you use the free version. Someone has to pay for it
it seems little revenue for the Traefik proxy product, developers let go middle of the year, little resources placed on it.
But I agree, updating a dependency should not be so complicated.
Interesting if true that their team is lite right now. I feel bad for the paying customers then. Vulnerabilities should be addressed as quick as possible. The slowdown of the frequency of updates makes sense now.
Hi @sstetlerms, thanks for your interest in Traefik!
Could you please provide a link to the CVE?
Please be sure that we analyze all the CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.
@bluepuma77 Any update can have potential side effects.
For example, an update of Consul can produce an update of gRPC, but gRPC is known to break things between patch/minor versions.
Please be sure that we update dependencies!
Thanks, waiting for next release
Hi @svx, Sure. There are actually multiple related to the Consul package. They're all in the docker image vulnerabilities tab. The longest running vulnerability is over 6 months old. Here's the 2.10.5 image link for convenience. Image Layer Details - traefik:v2.10.5 | Docker Hub
we are not affected by those CVEs because they affect pieces of code that we don't use.
The Consul CVE is about the Consul server but we are only using the client API.
The Docker CVEs are about the daemon and the API server, we are only using the client API.
The AWS CVEs are about AWS S3 Crypto, we are only using the DNS API.
Thanks for the update @svx! The issue on our end is that our vulnerability scanners detect vulnerabilities in packages. There's no way for these types of scanners or developers to be aware of what pieces are used. Can you confirm if these will ever be resolved and if so how soon it might be. I get that it's probably not a high priority now, but I would think leaving them in might cost in the "long run" in terms of others deciding on this product vs a competitor. I'll let my manager / team know and, hopefully, we won't be forced to move off of Traefik. Unfortunately, the trying to convince higher ups that vulnerable pieces aren't used hasn't worked in the past.
Please be sure that we analyse all CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.
If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, by creating a security advisory.
We're updating dependencies on a regular basis.
I can't give you a timeline when a certain dependency will be updated.
For example, if Traefik is not impacted by the reported CVE of a package, we may not update the package and thus Traefik, right away.
False positives related to vulnerability scanning tools are a known issue.
I trust that your team will address the actual vulnerabilities and I get not taking the time to address the false positive ones right away. I wasn't calling out that there's a vulnerability in traefik. I was simply pointing out that it might be worth addressing all vulnerabilities since it doesn't look good for vulnerabilities to show in places like docker hub. It's too bad there's not an easy way to tag these as false positives. Regardless, it sounds like this one will be addressed at some point. I'll let my team know there's no timeline for resolving. Thanks.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.