Skip to content

3.1.32 CVE fixes #1596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
suyadav1 wants to merge 9 commits into
base: ci_prod
Choose a base branch
from
Open

3.1.32 CVE fixes #1596

suyadav1 wants to merge 9 commits into from

Conversation

@suyadav1
Copy link
Contributor

@suyadav1 suyadav1 commented Jan 7, 2026

This pull request updates the kubernetes/linux/setup.sh script to address security vulnerabilities and upgrade key monitoring dependencies. The main changes include patching a CVE in the uri gem and updating the installation process for telegraf-agent and azcu-fluent-bit to newer versions.

Security vulnerability mitigation:

  • Removed the vulnerable uri gem (CVE-2025-61594), deleted its files, and installed the patched version 0.13.3. (kubernetes/linux/setup.sh)

Dependency upgrades:

  • Updated the installation of telegraf-agent from version 1.36.4 to 1.37.0, will replace with official version once dalec PR is merged.
  • Upgraded azcu-fluent-bit from version 4.0.9 to 4.1.1. (kubernetes/linux/setup.sh)

Resource usage
Before:
image
image

After:
image
image

Data validation
image

@suyadav1 suyadav1 requested a review from a team as a code owner January 7, 2026 22:38
@suyadav1
Copy link
Contributor Author

suyadav1 commented Jan 7, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 7, 2026

Azure Pipelines successfully started running 1 pipeline(s).

zanejohnson-azure
zanejohnson-azure reviewed Jan 7, 2026
View reviewed changes
kubernetes/linux/setup.sh Outdated
gem uninstall uri --force
rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec
rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2
gem install uri -v "0.13.3" --no-document
Copy link
Contributor

@zanejohnson-azure zanejohnson-azure Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if uri gem is not used, why install again on line 47?

Copy link
Contributor

@zanejohnson-azure zanejohnson-azure Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if not used, we remove it.
if it is used, since uri 0.13.2 is installed as a part of ruby 3.3.0, instead of installing uri 0.13.3 for ruby 3.3.0, which might cause compatibility issue, should we upgrade ruby version that has uri 0.13.3?

Copy link
Contributor Author

@suyadav1 suyadav1 Jan 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, missed updating the comment. Uri gem is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanejohnson-azure zanejohnson-azure zanejohnson-azure left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@suyadav1 @zanejohnson-azure