Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various Vulnerabilities High and Medium scores. #721

Open
Aurelian-Shuttleworth opened this issue Nov 10, 2023 · 8 comments
Open

Various Vulnerabilities High and Medium scores. #721

Aurelian-Shuttleworth opened this issue Nov 10, 2023 · 8 comments
Labels
bug
Projects
v0.17

Comments

@Aurelian-Shuttleworth
Copy link
Contributor

Describe the bug

Multiple High and medium Vulnerabilities are included due to out of date packages.

High:

Medium:

How to fix
@Aurelian-Shuttleworth
Copy link
Contributor Author

I have a working fork that I can convert to a merge request.

@khos2ow
Copy link
Member

khos2ow commented Nov 12, 2023

@Aurelian-Shuttleworth thank you for reporting this, and please do create a PR, if you already have a working fix.

@KostLinux
Copy link

KostLinux commented Nov 14, 2023
edited

Trivy scan also sent me some CVE's that are not in the list

Major - CVE-2022-27664 - golang.org/x/net - v0.0.0-20210405180319-a5a99cb37ef4 - golang: net/http: handle server errors after sending GOAWAY

Major - CVE-2022-41723 - golang.org/x/net - v0.0.0-20210405180319-a5a99cb37ef4 - net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

Major - CVE-2023-39325 - golang.org/x/net - v0.0.0-20210405180319-a5a99cb37ef4 - golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

Major - CVE-2021-38561 - golang.org/x/text - v0.3.5 - golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Major - CVE-2022-32149 - golang.org/x/text - v0.3.5 - ParseAcceptLanguage takes a long time to parse complex tags

Major - GHSA-m425-mq94-257g - google.golang.org/grpc - v1.38.0 - gRPC-Go HTTP/2 Rapid Reset vulnerability

Major - CVE-2022-28948 - gopkg.in/yaml.v3 - v3.0.0-20210107192922-496545a6307b - crash when attempting to deserialize invalid input

@Aurelian-Shuttleworth @khos2ow

@Aurelian-Shuttleworth
Copy link
Contributor Author

@khos2ow Apologies for the delay. I will prepare a MR now.

Merged
2 tasks
@Aurelian-Shuttleworth
Copy link
Contributor Author

@khos2ow please review the PR-727

@KostLinux can you test the updated image in PR-727 against trivy I don't have time currently.

@Aurelian-Shuttleworth
Copy link
Contributor Author

@khos2ow Now that the latest changes have been merged, will it be possible to publish a v0.16.1 release?

@khos2ow
Copy link
Member

khos2ow commented Dec 18, 2023

Yes, I'm actually going through the PRs now to see which I can quickly merge and will cut a v0.17.0 release afterwards.

@khos2ow khos2ow added this to To do in v0.17 via automation Dec 18, 2023
@khos2ow
Copy link
Member

khos2ow commented Dec 19, 2023
edited

These should now be fixed in v0.17.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
v0.17
To do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khos2ow @KostLinux @Aurelian-Shuttleworth