Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-45142 affects the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 indirect dependency #160

Closed
priyaselvaganesan opened this issue Oct 26, 2023 · 8 comments
Closed

CVE-2023-45142 affects the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 indirect dependency #160

priyaselvaganesan opened this issue Oct 26, 2023 · 8 comments
Assignees
@dgrisonnet
Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@priyaselvaganesan
Copy link

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-45142

Is this repository using the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency actively? If so, can you give a time frame on resolving the CVE?
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 26, 2023
@dashpole
Copy link

dashpole commented Nov 2, 2023

This repository does not use otelhttp, but I think it is still a good idea to bump the version.

@dashpole
Copy link

dashpole commented Nov 2, 2023

/assign @dgrisonnet
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 2, 2023
@hanahmily hanahmily mentioned this issue Nov 15, 2023
Merged
@priyaselvaganesan priyaselvaganesan mentioned this issue Dec 5, 2023
Closed
@manikantanallagatla
Copy link

Hi, Any plans on updating the otelhttp package?

@dashpole dashpole mentioned this issue Dec 12, 2023
Closed
@dashpole
Copy link

#161

@dgrisonnet
Copy link
Member

This repo is not directly affected by that vulnerability, so we don't have any timeline for fixing it.

@manikantanallagatla would you perhaps be interested in sending a PR to bump the k8s versions and the otel dep?

@liangyuanpeng liangyuanpeng mentioned this issue Dec 24, 2023
Closed
@liangyuanpeng
Copy link

Open a PR #162 to fix it

@CatherineF-dev
Copy link
Contributor

/close

It's in 1.29.0 already

@k8s-ci-robot
Copy link
Contributor

@CatherineF-dev: Closing this issue.

In response to this:

/close

It's in 1.29.0 already

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgrisonnet dgrisonnet

Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
7 participants
@priyaselvaganesan @dashpole @manikantanallagatla @k8s-ci-robot @dgrisonnet @liangyuanpeng @CatherineF-dev