Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Use go-tuf version v0.3.2-vulnerabilty fix for the package #13571

Open
vasireddy99 opened this issue Sep 17, 2022 · 1 comment
Open

[BUG] Use go-tuf version v0.3.2-vulnerabilty fix for the package #13571

vasireddy99 opened this issue Sep 17, 2022 · 1 comment
Labels
team/remote-config

Comments

@vasireddy99
Copy link

Agent Environment

Describe what happened:

go-tuf has done a patch Release v0.3.2 regarding a potential vulnerability and is encouraged to use that instead of v0.3.0

Describe what you expected:

Use go-tuf version >=v0.3.2

Steps to reproduce the issue:

Additional environment details (Operating System, Cloud provider, etc):
@arbll
Copy link
Member

arbll commented Sep 26, 2022

Hey @vasireddy99, the vulnerability was reported by our very own @cedricvanrompay-datadog at theupdateframework/go-tuf#369 and we confirmed we were not impacted.

We're also not immediately upgrading because we had to fork go-tuf until theupdateframework/go-tuf#384 is merged. Once that's done we'll move to the v0.3.x backport of it.

I'll leave this open until we upgrade. Thanks for the report!

@arbll arbll closed this as completed Sep 26, 2022
@arbll arbll reopened this Sep 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
team/remote-config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vickenty @arbll @vasireddy99