runc package is not updated in the go.mod file

[meggm]

Description

Hi team,

We're currently using the latest version of the confluent-kafka-go package (version 2.3.0) in our project, accessible at [github.com/confluentinc/confluent-kafka-go/v2:v2.3.0]. However, it's important to note that this version relies on the github.com/opencontainers/runc package, specifically version 1.1.3, which has been flagged with a HIGH vulnerability under CVE-2024-21626.

In light of this vulnerability, we kindly request upgrading the runc package to version 1.1.12 at your earliest convenience. This proactive measure will help ensure the security and stability of the system. Thank you for your attention to this matter.

How to reproduce

NA

Checklist

Please provide the following information:

• [ ] confluent-kafka-go and librdkafka version (LibraryVersion()):
• [ ] Apache Kafka broker version:
• [ ] Client configuration: ConfigMap{...}
• [ ] Operating system:
• [ ] Provide client logs (with "debug": ".." as necessary)
• [ ] Provide broker log excerpts
• [ ] Critical issue

[milindl]

Hi @meggm, thanks for reporting this. This will be fixed by #1136 which will be merged in and included in the next release.

[meggm]

Hi @milindl , I see that the updated version of runc is 1.1.9. Could you please consider upgrading to 1.1.12 which does not have any known vulnerabilities? Thank you.

[milindl]

That makes sense, let me check if I can make that change in the PR itself, given that it's an indirect dependency. .

[milindl]

It's now at 1.1.0, but I can't update it to 1.1.12 without causing breakage in the builds (the tests don't work for me).

You can file an issue in the upstream package which cause this dependency to be fetched, it's github.com/moby/buildkit . I can keep this issue open until there's an update there (and in all the transient packages...) . Alternatively, if you have any workarounds, please feel free to suggest them or make a PR, as long as things are building and the tests are running, I'll be happy to take a look.

Note that this is a dependency used only by the integration tests, not by the library.