This repository has been archived by the owner on Jul 6, 2023. It is now read-only.
heketi-deps release tarball bundles x/net/html with CVE #1372
Comments
|
@phlogistonjohn it is much appreciated if an updated heketi-deps tarball can get released! |
|
I'm not sure what the best approach for handling this will be. Let's discuss with @obnoxxx @raghavendra-talur . |
|
Does Heketi provide any html interface/api or use x/net/html ? |
No. It's bundled in because of golang's wonderful approach to dependencies. I hope to do a dependency refresh soon (famous last words). I hope that will allow us to close this issue. |
|
(Ahh. closed too many issues I had an itchy trigger finger) |
|
A full refresh of dependencies was done for heketi v10.4.0. Soon is a relative term. Closing. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Kind of issue
Bug
Observed behavior
Bug 1633022 has been reported against the Heketi package in Fedora. CVE-2018-17142 relates to the fix in golang/go#27702.
It seems Heketi itself does not call
html.Parse()itself, nor isx/net/htmllisted in theglide.lock. However, it still gets included in the heketi-deps tarball. Probably some other package depends on it?Expected/desired behavior
No known CVEs in the latest release tarballs.
The text was updated successfully, but these errors were encountered: