This message was deleted.

Hey @bumpy-portugal-40754 - I'm just going to verify this for you but I'm nearly certain the RKE2 team will be releasing a fix 🙂

@many-thailand-98649 Well, they told me at https://github.com/rancher/rke2/discussions/5353

So, for Harvester the updates to rke2 1.26 and 1.27 containing these fixes will be incorporated into Harvester 1.2.2 and 1.3.0 asap. People on 1.1.x will have to go to 1.2.1 and then 1.2.2 because we cannot make the leap from 1.24 directly, but Harvester 1.2.x is stable. I hope that helps

Thanks! Let's see when asap is :-) In general it seems (to me) a bad idea to run Harvester with that outdated and unsupported RKE2 versions. It's probably because of Rancher dependencies, but I don't care. What will happen when the next runc vulnerability appears tomorrow? Or one day after 1.2.2 is released? Or when the next vulnerability is in kubevirt? Are you able to create a release asap because of such a serious vulnerability? Currently the lifecycle of Harvester seems (to me) not appropriate for an enterprise product, especially regarding CVE handling. But you can prove me wrong, please do :-)

Totally understood, and appreciate the feedback too! We recognise we can do better here, especially when it concerns CVE handling. I know that's a bit of a wishy-washy answer, but do know that I've got it top-of-mind at the moment and we're aligning internally to see how we can handle this better in future 🙂