Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795 #541

Merged
merged 1 commit into from
Jan 5, 2024
Merged

update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795 #541

merged 1 commit into from
Jan 5, 2024

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented Jan 5, 2024
edited

docker scout reported a few MEDIUM/LOW CVEs for 0.4.2, updating to go 1.21.5 resolves 3 of them:

   0C     0H     2M     0L  stdlib 1.21.3 pkg:golang/stdlib@1.21.3
    ✗ MEDIUM CVE-2023-45284
      https://scout.docker.com/v/CVE-2023-45284
      Affected range : >=1.21.0-0
                     : <1.21.4
      Fixed version  : 1.21.4

    ✗ MEDIUM CVE-2023-39326
      https://scout.docker.com/v/CVE-2023-39326
      Affected range : >=1.21.0-0
                     : <1.21.5
      Fixed version  : 1.21.5

   0C     0H     1M     0L  golang.org/x/crypto 0.15.0 pkg:golang/golang.org/x/crypto@0.15.0

    ✗ MEDIUM CVE-2023-48795 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2023-48795
      Affected range : <0.17.0
      Fixed version  : 0.17.0
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

@kschoche kschoche added this to the v0.4.3 milestone Jan 5, 2024
@kschoche kschoche self-assigned this Jan 5, 2024
@kschoche kschoche requested a review from a team as a code owner January 5, 2024 19:57
@kschoche kschoche merged commit 4ec9873 into main Jan 5, 2024
40 checks passed
@kschoche kschoche deleted the kschoche/update_go_version branch January 5, 2024 21:57
adrianmoisey pushed a commit to adrianmoisey/vault-secrets-operator that referenced this pull request Jan 16, 2024
@kschoche @adrianmoisey
update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795 (
e5f46db 
…hashicorp#541)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

Assignees

@kschoche kschoche

Labels
None yet
Projects
None yet
Milestone
v0.4.3
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kschoche @tvoran