Update tiflash base image version

@ilovesoup Can you help me upgrade the base image of TiFlash v4.0.16 to the newest version to avoid critical vulnerability issues? TiFlash is not open source so I can’t do it by myself.

1 Like

Hi, thanks for your question. Could you please provide your operation step for the upgrade? If your TiDB cluster uses TiDB-operator on the Kubernetes, reference these documents.https://docs.pingcap.com/tidb-in-kubernetes/stable/upgrade-tidb-operator

Yep, I get your point now. I have sent this question to our security team, think so much more wait time, we will feedback workaround.

By the way, if you want to get more user benefits, you can register for customer certification at AskTUG forum. 团队认证操作指南

Hi, we’ve reached out to the team that maintains the image, and our internal image update process will take some time. If this problem is very urgent, you can try the following methods, use pingcap/tiflash:v4.0.16 as the base image to build a new image, and update the system dependencies during the rebuild process , as shown in the following Dockerfile:

FROM pingcap/tiflash:v4.0.16

RUN yum update -y
1 Like

Hi, the image upgrade work is in progress. Dependency upgrades introduce some behavioral changes that can lead to serious bugs in specific scenarios. We need some time to analyze and resolve these issues. If everything goes well, the update will be completed next week.

Hello, sorry to inform you that due to limited QA resources, the update of the base image will be released in the next version (including 5.0.7, 5.1.4, 5.2.4, 5.3.1, 5.4.0, and possibly 4.0.17 ).
Temporary solution (upgrade only nss and expat packages):

FROM pingcap/tiflash:v4.0.16

RUN yum update -y nss expat

As the support period for 4.x is about to expire (not sure if there will be a patch version in the future), it is recommended to upgrade to 5.x. The earliest fixes will be 5.1.4 and 5.4.0, which will be released next month.

The suffix comes from the git subcommand option --dirty see pd/Makefile#L41 and git describe for more details, we use this suffix to help mark the development version of the binary.

此话题已在最后回复的 1 分钟后被自动关闭。不再允许新回复。