go 1.14 vulnerability CVE-2021-38297

aptible / supercronic

Cron for containers

MIT License

1.91k stars 115 forks source link

go 1.14 vulnerability CVE-2021-38297 #101

Closed samccauley closed 2 years ago

samccauley commented 2 years ago

Please update to go 1.17.2 which fixes this CVE.

neurosnap commented 2 years ago

Thanks for submitting this security issue!

From: https://nvd.nist.gov/vuln/detail/CVE-2021-38297

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

We don't build for wasm, and GOOS is 'linux' for us so it looks like this doesn't affect us directly. Having said that, we plan to upgrade golang for this project soon.

neurosnap commented 2 years ago

Latest release upgrades golang: https://github.com/aptible/supercronic/releases/tag/v0.2.0