Description
Hi Guys,
I stumbled over the question, how to track openshift-builder releases with PR and CVE's being incorporated.
For example the CVE https://access.redhat.com/security/cve/CVE-2024-11218 tracked in Red Hat's Issue tracker as https://issues.redhat.com/browse/RHEL-67617.
I do understand the RPM verification path but since the image shipped in OCP seems to use a single binary build include from the build stage, I am lacking any possibitlity to verify if the images used in a Cluster a safe to use or not.
Can someone please hint me where to look to understand if something was merged and published or not ...
the best I can come up with right now is to check on the version which doesn't report the details
[root@ddeea4797072 /]# openshift-docker-build version
openshift-docker-build 4.14.0-202502111935.p0.gecbcf80.assembly.stream.el8-ecbcf80
Buildah version v1.31.0
This image version should have the CVE included but no way to tell if I need to refresh the images (cluster update) or not.
Thanks for any hint on that...
All the best and kind regards
Michi
Activity