You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current Dockerhub official image hasn't been updated in 4 months. There are two go-related "High" vulnerabilities pertaining to this image that rebuilding will fix.
Update go builder to use a version newer than 1.21.5. Currently, 1.21.3 is vulnerable to CVE-2023-45285. I am building from source and rebuilding the image with go version 1.21.7.
The emicklei/go-restful module in the official image is using v3.9.0 and in the main branch this is already showing 3.11.0. Versions prior to 3.10.0 are vulnerable to authentication bypass. Simply rebuilding will result in this being corrected.
Ideally, when merges happen into main we could get a pipeline to re-publish 1.3.1 tagged image on Dockerhub. If nothing else, rebuilding on a monthly release cycle for the docker images would likely cover most patching.
The text was updated successfully, but these errors were encountered:
Hi @jbreed, v1.4.0 is now out and should address your concerns. And as a reminder, please use security@hashicorp.com for bringing up security issues with the injector.
As for rebuilding in between releases, it's something we've discussed internally but nothing concrete yet.
The current Dockerhub official image hasn't been updated in 4 months. There are two go-related "High" vulnerabilities pertaining to this image that rebuilding will fix.
Ideally, when merges happen into main we could get a pipeline to re-publish 1.3.1 tagged image on Dockerhub. If nothing else, rebuilding on a monthly release cycle for the docker images would likely cover most patching.
The text was updated successfully, but these errors were encountered: