Dependencies updated or ignored for CVE vulnerabilities

[elelaysh]

• bump cadvisor to 0.56.2

• Ignore CVE-2024-24790 in prometheus mtail exporter
  control plane is trusted

• Bump grafana to 12.3.3 to fix CVE-2025-68121
  grafana server 12.3.3 is fixed but the opensearch-datasource plugin is still affected.

• Bump etcd to 3.5.27 to fix CVE-2025-68121

• Ignore CVE-2025-68121 for prometheus images

  • server-side: exporters and server are not listening with tls
  • as client: only querying known services

• Ignore CVE-2025-68121 for influxdb
  No new version is available and it runs on a secure network

• Ignore CVE-2025-68121 for letsencrypt-lego
  it only talks to known servers

• Ignore CVE-2025-68121 for neutron
  report caused by docker client and we don't speak to remote docker over tls

• Ignore CVE-2026-27699 for opensearch-dashboard
  basic-ftp@5.0.5 is present in opensearch-dashboards 2.19.4

[gemini-code-assist]

Code Review

This pull request updates several dependencies to address CVEs and ignores others with justifications. The dependency updates for etcd, cadvisor, and prometheus-msteams look correct. The CVE suppressions are also in line with the descriptions. My main feedback is to add the justifications for ignoring CVEs as comments in the allowed-vulnerabilities.yml file. This will improve the maintainability of the configuration by making it self-documenting, explaining why certain vulnerabilities are considered acceptable risks in this context.

[elelaysh]

Cherry-picked 3c961f2 from stackhpc/2024.1

[Alex-Welsh]

@elelaysh are you going to rebuild against this spec, or do the current containers conform to this?

[elelaysh]

@elelaysh are you going to rebuild against this spec, or do the current containers conform to this?

Yes: I need to rebuild:

• etcd
• grafana
• cadvisor

[elelaysh]

Rebuilt container images with tag 2025.1-rocky-9-20260303T104901: https://github.com/stackhpc/stackhpc-kayobe-config/actions/runs/22619571977