search

a-bali / telegraf-geoip

GeoIP lookup plugin for Telegraf
MIT License
12 stars 8 forks source link

Update dependencies #6

Closed cnemo-cenic closed 3 months ago

cnemo-cenic commented 3 months ago

Update dependencies so as to not pull in vulnerable packages (see below)


usr/local/bin/telegraf-geoip (gobinary)
=======================================
Total: 5 (MEDIUM: 0, HIGH: 5, CRITICAL: 0)
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │          Installed Version           │ Fixed Version │                            Title                             │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gogo/protobuf │ CVE-2021-3121  │ HIGH     │ fixed  │ v1.2.2-0.20190723190241-65acae22fc9d │ 1.3.2         │ gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain   │
│                          │                │          │        │                                      │               │ index validation                                             │
│                          │                │          │        │                                      │               │ https://avd.aquasec.com/nvd/cve-2021-3121                    │
├──────────────────────────┼────────────────┤          │        ├──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/tidwall/gjson │ CVE-2020-35380 │          │        │ v1.6.0                               │ 1.6.4         │ GJSON before 1.6.4 allows attackers to cause a denial of     │
│                          │                │          │        │                                      │               │ service via...                                               │
│                          │                │          │        │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-35380                   │
│                          ├────────────────┤          │        │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-36066 │          │        │                                      │ 1.6.5         │ GJSON <1.6.5 allows attackers to cause a denial of service   │
│                          │                │          │        │                                      │               │ (remote) vi...                                               │
│                          │                │          │        │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-36066                   │
│                          ├────────────────┤          │        │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-36067 │          │        │                                      │ 1.6.6         │ GJSON <=v1.6.5 allows attackers to cause a denial of service │
│                          │                │          │        │                                      │               │ (panic: r...                                                 │
│                          │                │          │        │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-36067                   │
│                          ├────────────────┤          │        │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-42836 │          │        │                                      │ 1.9.3         │ GJSON before 1.9.3 allows a ReDoS (regular expression denial │
│                          │                │          │        │                                      │               │ of servic ......                                             │
│                          │                │          │        │                                      │               │ https://avd.aquasec.com/nvd/cve-2021-42836                   │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘```
cnemo-cenic commented 3 months ago

FYI I just ran go get -u ./cmd to get this diff. If you re-run that command you should get something similar (although if a new telegraf or geoip package version is published, it could be slightly different). If you'd prefer to run the command yourself and merge/push those results, fine by me.

a-bali commented 3 months ago

Thanks, closed.