Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities introduced by supercronic #88

Closed
mohammed-ezzedine opened this issue Nov 1, 2022 · 3 comments
Closed

Security vulnerabilities introduced by supercronic #88

mohammed-ezzedine opened this issue Nov 1, 2022 · 3 comments

Comments

@mohammed-ezzedine
Copy link

mohammed-ezzedine commented Nov 1, 2022
edited

Pre issue-raising checklist

I have already (please mark the applicable with an x):

  • [ X ] Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project.
  • [ X ] Upgraded to the latest Pact Broker Docker image OR
  • [ X ] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
  • [ X ] Read the Troubleshooting page

Software versions

  • pact-broker docker version: 2.105.0.0

Expected behaviour

No security vulnerabilities in the image

Actual behaviour

Two security vulnerabilities found:
(CVE-2021-38297 and CVE-2022-23806)

Steps to reproduce

Version 2.105.0.0 of pact-broker uses supercronic with version v0.1.11 which introduces the above security vulnerabilities caused by using an old version of golang (1.14.4).

These vulnerabilities are fixed in golang version 1.17.7+ and are addressed in supercronic v0.2.0 so an upgrade for supercronic to v0.2.0+ would solve it.
@bethesque bethesque added the jira label Jan 17, 2023
@github-actions
Copy link

👋 Thanks, Jira [PACT-590] ticket created.

@github-actions
Copy link

👋 Thanks, Jira [PACT-599] ticket created.

jorander added a commit to jorander/pact-broker-docker that referenced this issue Jan 31, 2023
@jorander
Issue pact-foundation#88: Upgrade Supercronic to version 0.2.1 to fix…
310bf09 
… security issues.
@jorander jorander mentioned this issue Jan 31, 2023
Merged
bethesque pushed a commit that referenced this issue Feb 2, 2023
@jorander
Issue #88: Upgrade Supercronic to version 0.2.1 to fix security issue…
00de401 
…s. (#99)
@bethesque
Copy link
Member

Released in tag 2.106.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bethesque @mohammed-ezzedine