Closed ZelphirKaltstahl closed 2 months ago
... or 1.22.4+
or 1.23
.
As noted elsewhere this does not really affect Caddy, but a new image with Go 1.23 is probably a good idea.
No point to keep this open, it's a duplicate.
Can you link at least to that "elsewhere", so that people searching for this CVE can find that documentation as well? I think that would be helpful.
Edit: Nvm, I found it: https://github.com/caddyserver/caddy-docker/issues/361
(It's already linked above ☝️ )
As noted elsewhere this does not really affect Caddy
@mholt Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here: https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents https://github.com/aquasecurity/vexhub Feel free to reach me or the Trivy team if you have any issues/feedback.
The current
latest
official (according to https://hub.docker.com/_/caddy/tags) docker image is affected byCVE-2024-24790
(for example https://security-tracker.debian.org/tracker/CVE-2024-24790 or https://nvd.nist.gov/vuln/detail/CVE-2024-24790).Are there any plans to upgrade to a newer version of go? If I understand correctly,
1.21.13-1
should have it fixed.