search

canonical / spread

Spread - Convenient full-system test (task) distribution
GNU General Public License v3.0
99 stars 58 forks source link

Golang module versions have current CVEs of High level #162

Open jocado opened 1 year ago

jocado commented 1 year ago

Hi,

Seems like the follow modules have High level CVEs currently, as output from our trivy image scanning:

┌─────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2021-43565 │ HIGH     │ v0.0.0-20210711020723-a769d52b0f97 │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic    │
│                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43565                  │
│                     ├────────────────┤          │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-27191 │          │                                    │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server           │
│                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                  │
├─────────────────────┼────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2021-44716 │          │ v0.0.0-20210716203947-853a461950ff │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization   │
│                     │                │          │                                    │                                   │ cache                                                       │
│                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                  │
│                     ├────────────────┤          │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-27664 │          │                                    │ 0.0.0-202209061[651] │ golang: net/http: handle server errors after sending GOAWAY │
│                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                  │

I can easily create an MR to bump the versions, but I don't know if it's as simile as that. If it is, I will.

Please advise.

Cheers, Just