<@U016WKMFLL9> do we patch k3s-upgrade:<somever...
# k3sa
average-appointment-24470
09/26/2025, 9:33 AM@creamy-pencil-82913 do we patch k3s-upgrade:<someversion> images once it hits HIGH/critical vuln? i see k3s-upgrade:1.32.6 has high vuln but not sure if there is any remediation for these
c
creamy-pencil-82913
09/26/2025, 2:25 PMNo. The release is the release. It doesn't change once it's out. To address bugs and vulnerabilities, you must upgrade.
creamy-pencil-82913
09/26/2025, 2:25 PMWhat vuln are you seeing in that image? Is your scanning tool looking at our VEX data?
a
average-appointment-24470
09/26/2025, 5:14 PMUsing trivy for vuln scanning
c
creamy-pencil-82913
09/26/2025, 5:18 PMif you’re going to do that, you should pass it our VEX Hub data. Or better yet, just look at our scans, which also use Trivvy with the proper data already provided: https://scans.rancher.com/
🎯 1
creamy-pencil-82913
09/26/2025, 5:20 PMv1.32.9 is the latest release in the 1.32 minor. We follow the best practice of using immutable tags; there will never be any updates to old images.
https://scans.rancher.com/k3s-v1.32.9.html
👍 2