[Public security vulnerability]: update dependency versions please #719
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
Comments
squeakymouse
added
kind/feature
|
Looks like there was just a release that should have this fix in it https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/tag/v0.6.20 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added?
Could you please update the golang.org/x/net version to 0.23.0, and then release a new version of aws-iam-authenticator after that? Due to security vulnerabilities found from the latest 0.6.14 version.
Why is this needed?
Security scan results from a Docker image that uses the latest 0.6.14 version of
aws-iam-authenticatorhave highlighted the CVE-2023-45288 vulnerability in thegolang.org/x/netdependency, and the CVE-2024-24786 vulnerability in thegoogle.golang.org/protobufdependency. (I think the google.golang.org/protobuf version pinned in the code is up-to-date enough, but the latest released version of aws-iam-authenticator is not using this yet.)Anything else we need to know?
No response
The text was updated successfully, but these errors were encountered: