New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update golang.org/x/net to address CVE-2022-41723 #4275
Comments
go.mod has already been updated on the master branch. |
Right, I see dependabot is on the case there. Any thoughts about a 0.15.1-r1 or similar release with the updated module(s)? I'll close this in any case, thanks for the follow up! |
Is there a timeline on when there will be a version released with this fix? |
@berler not sure how you're using restic, but I can help until there's a new release if you are building from source, or using an apk based Linux distro? |
We'd like to avoid building from source if possible. Currently we just download the binary from the release page (is this effectively the same as if you installed from a package and then ran the self-update script?). |
@berler The problem is mentioned in the release notes of the current version |
Output of
restic version
What should restic do differently? Which functionality do you think we should add?
Update
golang.org/x/net
from 0.5.0 to 0.7.0 (along with related dependencies).What are you trying to do? What problem would this solve?
This update addresses CVE-2022-41723, which can lead to a Denial of Service. Scanning the 0.15.1 tag with Trivy shows the issue:
Updating the
golang.org/x/net
to the patched 0.7.0 version mitigates the vulnerability. Here's the full diff:All tests seem to pass when I run
make test
as well. I'll open an associated PR if that's the best way to proceed?Did restic help you today? Did it make you happy in any way?
Restic is great! I added it to Wolfi OS for use with container workloads.
The text was updated successfully, but these errors were encountered: