Security Vunerability in Percona XtraDB Operator for GO Lang?

Hello,

As i am seeing we are using “golang:1.13” in pxc-xtradb-cluster (1.8/1.9.1.10) versions but there is a security Vunerability found ralated to that Golang version.

  • CVE-2021-38297
  • CVE-2021-44716
  • CVE-2021-33196
    Did we try by updating Golang version to fix these security issues OR whether Percona code is compatible to upgraded Golang version?

If i manually try to update then is there any process to run E2E test cases to test it outt?

Thanks
Chandra

1 Like

Thank you for this report, please note that this is not the appropriate channel for such enquiries; however, I will note that GoLang is not in use for percona-xtradb-cluster.

Therefore we are presuming for the moment you refer to percona-xtradb-cluster-operator for which golang 1.17 (see: Update golange to 1.17 (#1003) · percona/percona-xtradb-cluster-operator@23b57c8 · GitHub) is in use within the Containerfile (read: Dockerfile) at the time of writing (and during PXC Operator 1.10.0 release), and is not affected by the CVE’s listed in this post.

In future, please refer to Percona Security for instructions on where to enquire about or report issues with our open source products.

David Busby

1 Like

Thanks @David_Busby
But could you please help me out to find the code base for Docker image “percona-xtradb-cluster:8.0.22-13.1” from which code based its build and which docker file used to build this image.

Also confusing part is there are multiple references for Percona Docker repo as well… some place i found “GitHub - percona/percona-docker: Collection of Dockerfiles for Percona software. See individual directories for more details.” while somewhere its "GitHub - Percona-Lab/percona-docker: Collection of Dockerfiles for Percona sofware. See individual directories for more details. "

Please help me to find code base for that specific version.

1 Like

@cmg1986 the docker files for PXC can be found here: percona-docker/percona-xtradb-cluster-8.0 at main · percona/percona-docker · GitHub.

perconalab repos are for experimenting usually.

1 Like

Thanks @spronin
But could you please help me out how may i build new docker image by updating GoLang version in Dockerfile for percona-docker/percona-xtradb-cluster-8.0 at main · percona/percona-docker · GitHub.

As i tried to Fork project and create branch from that tag but that didnt work out.

1 Like