golang.org/x/net CVEs - Githubissues

GoogleCloudPlatform / cloud-run-proxy

Local proxy for authenticating requests to Cloud Run

Apache License 2.0

124 stars 20 forks source link

golang.org/x/net CVEs #26

Closed ntang86 closed 1 year ago

ntang86 commented 1 year ago

Hi, the old release v.0.3.0 has vulnerability issue with golang.org/x/net v0.0.0-20221004154528-8021a29435af https://security-tracker.debian.org/tracker/CVE-2022-41723 https://security-tracker.debian.org/tracker/CVE-2022-41721

Are we planning on a new release?

Thank you

sethvargo commented 1 year ago

Hi @ntang86 - the module requires Go 1.19, which marked this CVE as fixed. Are you seeing something different?

ntang86 commented 1 year ago

Sorry, I'm not sure of what it means on the Debian website :/ Here is the Github CVE report https://github.com/advisories/GHSA-vvpx-j8f3-3w6h

I compiled cloud-run-proxy with the v.0.3.0 release and copied the binary into the final destination, but google artifact registry still detect the CVE. And that's because of the indirect dependency, any version of this package < v0.7.0, is affected

golang.org/x/net v0.0.0-20221004154528-8021a29435af

sethvargo commented 1 year ago

Okay I just cut https://github.com/GoogleCloudPlatform/cloud-run-proxy/releases/tag/v0.4.0