You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These are showing up as cyber security vulnerabilities in our scanning tools. We bumped HAProxy to 2.9.7 on our production Argo and are test-piloting the dependency change for issues.
Proposal
I've prepared a draft PR to version bump HAProxy from 2.6.14 to 2.9.7. After a period of testing on our Argo I can publish the draft PR. I selected 2.9.7 because it's latest stable. However, 2.8 is LTS and contains the required CVE fixes. If the community prefers, we could test 2.8-alpine and automatically track patch updates to the LTS version of HAProxy. Or stay on 2.9-alpine and track patches to the later version, skipping LTS.
Summary
HAProxy for ArgoCD HA was last updated June 14, 2023 to 2.6.14. Since that release there are two new CVEs categorized as High for that release.
Motivation
These are showing up as cyber security vulnerabilities in our scanning tools. We bumped HAProxy to 2.9.7 on our production Argo and are test-piloting the dependency change for issues.
Proposal
I've prepared a draft PR to version bump HAProxy from 2.6.14 to 2.9.7. After a period of testing on our Argo I can publish the draft PR. I selected 2.9.7 because it's latest stable. However, 2.8 is LTS and contains the required CVE fixes. If the community prefers, we could test 2.8-alpine and automatically track patch updates to the LTS version of HAProxy. Or stay on 2.9-alpine and track patches to the later version, skipping LTS.
See #18158
The text was updated successfully, but these errors were encountered: