search

DataDog / datadog-agent

Main repository for Datadog Agent
https://docs.datadoghq.com/
Apache License 2.0
2.88k stars 1.21k forks source link

[BUG] Use go-tuf version v0.3.2-vulnerabilty fix for the package #13571

Open vasireddy99 opened 2 years ago

vasireddy99 commented 2 years ago

Agent Environment

Describe what happened:

go-tuf has done a patch Release v0.3.2 regarding a potential vulnerability and is encouraged to use that instead of v0.3.0

Describe what you expected:

Use go-tuf version >=v0.3.2

Steps to reproduce the issue:

Additional environment details (Operating System, Cloud provider, etc):

arbll commented 2 years ago

Hey @vasireddy99, the vulnerability was reported by our very own @cedricvanrompay-datadog at https://github.com/theupdateframework/go-tuf/pull/369 and we confirmed we were not impacted.

We're also not immediately upgrading because we had to fork go-tuf until https://github.com/theupdateframework/go-tuf/pull/384 is merged. Once that's done we'll move to the v0.3.x backport of it.

I'll leave this open until we upgrade. Thanks for the report!