Guys there seem to be a critical vuln in the ECS deployment

Question

Guys there seem to be a critical vuln in the ECS deployment of fleet The package `zlib` version `1 2 12 r1` was detected in `APK package manager` on a container image running `Alpine 3 16 0` is vulnerable to `CVE 2022 37434` which exists in versions ` u003c 1 2 12 r2` n nThe vulnerability was found in the Official Alpine Security Advisories with vendor severity `Critical` NVD severity `Critical` n nThis vulnerability has a known exploit available Source Github 1 2 3 n nThe vulnerability can be remediated by updating the package to version `1 2 12 r2` or higher

Ojas · Answer

can we upgrade it without shutting down

Ojas · Answer

Status reason CannotStartContainerError ResourceInitializationError failed to create new container runtime task failed to create shim OCI runtime create failed container linux go 380 starting container process caused exec apk update executable file not found Command apk update tried using the new task to run command bit says not found

zwass · Answer

Luckily Fleet doesn t use `zlib` The next version of Fleet should be published today will use the new `alpine` base image that should have the fix though If you need it right now or with a different Fleet version you would need to build yourself from the <https github com fleetdm fleet blob main Dockerfile|Dockerfile>

Ojas · Answer

if new version is coming then i guess i can hold for that thanks slightly smiling face