confluentinc / confluent-kafka-go

Confluent's Apache Kafka Golang client
Apache License 2.0
4.66k stars 658 forks source link

runc package is not updated in the go.mod file #1139

Open meggm opened 9 months ago

meggm commented 9 months ago

Description

Hi team,

We're currently using the latest version of the confluent-kafka-go package (version 2.3.0) in our project, accessible at [github.com/confluentinc/confluent-kafka-go/v2:v2.3.0]. However, it's important to note that this version relies on the github.com/opencontainers/runc package, specifically version 1.1.3, which has been flagged with a HIGH vulnerability under CVE-2024-21626.

In light of this vulnerability, we kindly request upgrading the runc package to version 1.1.12 at your earliest convenience. This proactive measure will help ensure the security and stability of the system. Thank you for your attention to this matter.

How to reproduce

NA

Checklist

Please provide the following information:

milindl commented 9 months ago

Hi @meggm, thanks for reporting this. This will be fixed by #1136 which will be merged in and included in the next release.

meggm commented 9 months ago

Hi @milindl , I see that the updated version of runc is 1.1.9. Could you please consider upgrading to 1.1.12 which does not have any known vulnerabilities? Thank you.

milindl commented 9 months ago

That makes sense, let me check if I can make that change in the PR itself, given that it's an indirect dependency. .

milindl commented 7 months ago

It's now at 1.1.0, but I can't update it to 1.1.12 without causing breakage in the builds (the tests don't work for me).

You can file an issue in the upstream package which cause this dependency to be fetched, it's github.com/moby/buildkit . I can keep this issue open until there's an update there (and in all the transient packages...) . Alternatively, if you have any workarounds, please feel free to suggest them or make a PR, as long as things are building and the tests are running, I'll be happy to take a look.

Note that this is a dependency used only by the integration tests, not by the library.