Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Facing vulnerability issues with golang 1.19.7 versions in argocli #11023

Closed
rujutaghanekar opened this issue May 2, 2023 · 3 comments
Closed

Facing vulnerability issues with golang 1.19.7 versions in argocli #11023

rujutaghanekar opened this issue May 2, 2023 · 3 comments
Labels
go Pull requests that update Go dependencies P2 Important. All bugs with >=3 thumbs up that aren’t P0 or P1, plus: Any other bugs deemed important type/dependencies PRs and issues specific to updating dependencies type/feature Feature request type/security Security related

Comments

@rujutaghanekar
Copy link

rujutaghanekar commented May 2, 2023
edited

Summary

Facing vulnerability issues with golang 1.19.7 version in argocli since they are older/outdated versions.
Argo cli version used - https://github.com/argoproj/argo-workflows/releases/tag/v3.4.7

Screenshot 2023-05-02 at 4 17 22 PM

Screenshot 2023-05-02 at 4 15 37 PM

Is there any latest release that will cover below vulnerabilities?
CVE-2023-24538
CVE-2023-24537
CVE-2023-24536
CVE-2023-24534
@rujutaghanekar rujutaghanekar added the type/feature Feature request label May 2, 2023
@rujutaghanekar
Copy link
Author

v3.4.7 release is on go 1.19
https://github.com/argoproj/argo-workflows/blob/v3.4.7/Dockerfile#L6
https://github.com/argoproj/argo-workflows/blob/v3.4.7/go.mod#L3

@terrytangyuan
Copy link
Member

We can bump to 1.20 for next release.

@terrytangyuan terrytangyuan added the P2 Important. All bugs with >=3 thumbs up that aren’t P0 or P1, plus: Any other bugs deemed important label May 2, 2023
@terrytangyuan
Copy link
Member

I wonder why Snyk didn't catch this earlier.

terrytangyuan added a commit to terrytangyuan/argo-workflows that referenced this issue May 3, 2023
@terrytangyuan
fix: Upgrade Go to v1.20. Fixes argoproj#11023
808954b 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan mentioned this issue May 22, 2023
Closed
44 tasks
terrytangyuan added a commit that referenced this issue May 25, 2023
@terrytangyuan
fix: Upgrade Go to v1.20. Fixes #11023 (#11027)
eb3c7b8 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
JPZ13 pushed a commit to pipekit/argo-workflows that referenced this issue Jul 4, 2023
@terrytangyuan @JPZ13
fix: Upgrade Go to v1.20. Fixes argoproj#11023 (argoproj#11027)
4e3f3b3 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies go Pull requests that update Go dependencies labels Aug 28, 2023
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this issue May 9, 2024
@terrytangyuan @dpadhiar
fix: Upgrade Go to v1.20. Fixes argoproj#11023 (argoproj#11027)
7770c3d 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
go Pull requests that update Go dependencies P2 Important. All bugs with >=3 thumbs up that aren’t P0 or P1, plus: Any other bugs deemed important type/dependencies PRs and issues specific to updating dependencies type/feature Feature request type/security Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@terrytangyuan @agilgur5 @rujutaghanekar