7.5.1 forgeops base images with critical CVEs

[bvawdrey-zions-bancorp]

We've been notified by our security team that the images we're using as a base have some critical vulnerabilities. We've remidiated them manually by manipulating the Dockerfiles, but they should likely be fixed in the base images. We're using the latest 7.5.1 (timestamped) images marked below from http://releases.forgeops.com/

admin-ui - 7.5.1-202603311402

• CVE-2024-40896 | version of libxml2 needs to be updated to versions 2.13.3, 2.12.9 or 2.11.9

login-ui - 7.5.1-202603311402

• CVE-2024-40896 | version of libxml2 needs to be updated to versions 2.13.3, 2.12.9 or 2.11.9

end-user-ui - 7.5.1-202603311407

• CVE-2024-40896 | version of libxml2 needs to be updated to versions 2.13.3, 2.12.9 or 2.11.9

[bvawdrey-zions-bancorp]

I've tried updating to latest 8.0.1 versions and they also have the same vulnerability because libxml2 is v 2.11.8-r003

[lee-baines]

Hi @bvawdrey-zions-bancorp, I'll look into it for you

[lee-baines]

This is because the version if libxml2 is tied to the version of Alpine that the Platform UIs are built on 3.18. We are currently in the middle of the 8.1 release which should come with a later version of Alpine

[bvawdrey-zions-bancorp]

Was about to send you that info that I found out also.
We are running 7.5.x of AM, DS and IDM. If we update just admin, login and end-user UI to v8.1 when it releases, will that cause any compatiblity issues with AM/DS/IDM? or would there ever be a 7.5 image that fixes those vulnerabilities?

[lee-baines]

Thanks, I've just asked the UI team if they are planning a patch release soon