Open ZsoltPath opened 3 months ago
To follow up on this occurring issue.
It would seem that the vulnerable module has been updated to the fix version provided in https://github.com/advisories/GHSA-87m9-rv8p-rgmg as can be seen in https://github.com/DataDog/datadog-agent/blob/main/go.mod#L478 in https://github.com/DataDog/datadog-agent/commit/054a65c46b290fa3bb9f4ff09fed5cf6d0029123.
This was done as part of this PR: https://github.com/DataDog/datadog-agent/pull/26609, and then was added as a backport to 7.55.x in https://github.com/DataDog/datadog-agent/pull/26615
However the 7.55 milestone https://github.com/DataDog/datadog-agent/milestone/192 that now includes the backport mentioned above hasn’t yet been released.
Would it be possible to provide any info on a potential timeline of this fix being released and a new datadog-lambda-extension with the fix being published?
Hi @AndreiMazu (et al.), We don't provide our release dates in advance as the process itself takes a variable amount of time after the code freeze (e.g. for testing, QA of changes, etc). With that said, we are in the later stages of the process for the next Agent release.
AWS Inspector recently alerts about the following vulnerability: go-grpc-compression has a zstd decompression bombing vulnerability https://github.com/advisories/GHSA-87m9-rv8p-rgmg
Agent Environment
v7.54.0
Describe what happened:
Describe what you expected:
Steps to reproduce the issue:
Additional environment details (Operating System, Cloud provider, etc): AWS Lambda extension