gogo protobuf CVE-2021-3121 (< 1.3.2) #9181

sergiodj · 2021-04-23T20:02:47Z

The gogo protobuf module in the version that is being used by telegraf (1.3.1) has a CVE:

The vulnerability has been fixed in version 1.3.2. Please consider bumping the version of this dependency. Thanks!

helenosheaa · 2021-04-26T15:11:55Z

Thanks for opening this issue, I'll look into upgrading the dependency!

sergiodj · 2021-04-26T21:28:04Z

Emeka-MSFT · 2022-02-03T10:36:40Z

@helenosheaa , the go.sum file contains references to the older protobuf versions.

Does this mean that Telegraf depends on components that required/use the older/vulnerable versions?

If this is correct, then would these Telegraf dependencies need to be updated as well?

Emeka-MSFT · 2022-02-03T11:04:14Z

Opened #10581

sergiodj added the bug unexpected problem or unintended behavior label Apr 23, 2021

helenosheaa self-assigned this Apr 26, 2021

helenosheaa mentioned this issue Apr 26, 2021

upgrade gogo protobuf to v1.3.2 #9190

Merged

helenosheaa closed this as completed in #9190 Apr 27, 2021

Emeka-MSFT mentioned this issue Feb 3, 2022

gogo protobuf CVE-2021-3121 (< 1.3.2) in go.sum (indirect dependencies) #10581

Closed

Provide feedback