-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gogo protobuf CVE-2021-3121 (< 1.3.2) in go.sum (indirect dependencies) #10581
Comments
Hi, If you believe that there is a security issue in Telegraf, I would ask that you use the disclosure process laid out by the project. When you filed this bug, there was an option for "Report a security vulnerability". That would have taken you to the security.md, which lists how to disclose a vulnerability.
For example, your list shows these two different K8s clients:
However, our go.mod specifies the following version, which will be included in the final binary:
To see what versions come with a binary you can run:
Does this resolve your concern? |
Woops, did not mean to close this, till you have had a chance to respond. |
Been nearly a week, so I am going to resolve this. |
Thanks for the explanation, that works. Side Note: one or more indirect reference still depends on the vulnerable version. |
If you have a full list I'd be curious to see it. Might be an opportunity to work with upstream on updates. I've seen you do a few updates to a couple projects already. |
Do I Have A List?Yes; with regards to Telegraf, I was going by the list I pasted earlier. Upstream Dependencies (My Observations):
Types Of Fixes (My Thoughts):
When successfully completed, their Golang Feature Gaps (My Thoughts):Ideally, golang-toolset will need to solve this problem -- i.e. e.g. by providing a simpler way to:
Thinking Out Loud/ConclusionIf, why, how, when, what, where,...to get all these done? Well, I don't know 😅 I just think that getting rid of the references from Telegraf's |
Problem
The go.sum file contains references to the older protobuf versions.
Related Issue
This is related to issue #9181 with fix #9190
Vulnerable (Indirect) Dependencies
The output below is from running
go mod graph
and filtering for the vulnerable versions.I think these should either be updated or removed from Telegraf dependency chain.
The text was updated successfully, but these errors were encountered: