Please upgrade Go runtime (>= 1.19.7) to fix security vulnerabilities

[jhauglid]

The currently used version of the Go runtime (1.19.5) have several high severity security vulnerabilities that can be detected by scanners such as the Google Artifact Registry scanner.

Here's a list of issues:
https://security-tracker.debian.org/tracker/CVE-2022-41724
https://security-tracker.debian.org/tracker/CVE-2022-41725
https://security-tracker.debian.org/tracker/CVE-2023-24532
https://security-tracker.debian.org/tracker/CVE-2022-41723

All of these have been fixed in 1.19.7.
Please consider upgrading.

[Tulsishah]

Thanks, @jhauglid, for the information. The issue has been fixed. Please feel free to reopen if any problem occurs.

[zchenyu]

Has the binary in https://packages.cloud.google.com/apt/ been updated yet?

I just installed/upgraded it and it still shows

$ gcsfuse -v
gcsfuse version 0.42.3 (Go version go1.19.5)

[Tulsishah]

Oh, Sorry, my bad, It will come in up coming release.

[zchenyu]

Thanks, do you have a rough timeline? days, weeks?

[Tulsishah]

We usually do a release at month's end. So the next release is expected on April end.

[zchenyu]

Is it possible to do an extra release for this security issue?

[Tulsishah]

Is it possible to do an extra release for this security issue?

Sorry, it will be done at month end only.

[Tulsishah]

Please refer new release - https://github.com/GoogleCloudPlatform/gcsfuse/releases/tag/v0.42.4
feel free to reopen the issue if you face any problem