Add symbolic link file checks for CVE-2025-53547 #433
Conversation
Signed-off-by: Trilok Geer <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TrilokGeer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest |
|
@TrilokGeer: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
Description of the change:
Based on the analysis from GHSA-557j-xg8c-q2mm, the vulnerability in operator-sdk is found in the code path leveraging the
downloader.Manager.Build()method from Helm SDK. The fix for the CVE is adopted in the recent Helm SDK version 3.18.4. The same helm version is not adopted in the present release-4.18, hence, the PR adds update in the operator-sdk layer to mitigate the vulnerability.