K3s Images - Security Vulnerabilities

We are evaluating k3s. As part of security, scanned all the k3s images corresponding to version 1.18.2+k3s1 (698e444). The scanning tool reported below CVE vulnerabilities corresponding to severity level Critical (3) & High(10) (there are additional CVE corresponding to medium/low severity).

Pls clarify if these CVE would be addressed in upcoming release ? Also does k3s images gets scanned during every release ?

CVE-2018-1000517
CVE-2019-14697
CVE-2019-19012

CVE-2018-20679
CVE-2019-18276
CVE-2019-19203
CVE-2019-19204
CVE-2019-19604
CVE-2019-20454
CVE-2019-5747
CVE-2020-11008
CVE-2020-1967
CVE-2020-5260

I appreciate if someone can provide an update on the above query ?

Thanks for the question.

We’ve started down the path of automated CVE scanning, but aren’t quite there yet.

As we work through that effort, we will be uplifting base images to get the images to pass the scanning.

Roughly targeting this for the v1.19.x timeframe.

Thanks for the update. Can you pls provide the date when v1.9.x is planned for release ?

@cjellick Can you pls update when the next version (v1.19.x) planned for ? What is the timeframe when these vulnerabilities would be addressed ? Thanks.

I can’t give an exact timeframe. v1.19.0 is due out later this month (in line with upstream), but I don’t think we’ll have the base images updated by then.