CVE-2024-34156 - Githubissues

MoeBensu commented 2 months ago

Preflight Checklist

[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[X] I am not looking for support or already pursued the available support channels without success.

Version

2.41.1

Storage Type

Kubernetes

Installation Type

Official container image

Expected Behavior

High/Critical vulnerability-free docker image

Actual Behavior

CVE-2024-34156 has been published against the stdlib lib in go binaries and is found by trivy in docker image v2.41.1 which has go1.22.5

Steps To Reproduce

Running trivy image -v dexidp/dex:latest-alpine yields

Additional Information

The fix has been released in go1.22.7 and go1.23.1. Would you prefer to just bump to go1.22.7 since the latest minor updates g1.23.1 is still very recent?

Configuration

No response

Logs

No response

nabokihms commented 2 months ago

We are not using encoding/gob anywhere nor our code dependencies, so the CVE is not applicable. The new version of Dex will be released by the end of the month with all the CVE fixes.

MoeBensu commented 15 hours ago

@nabokihms gomplate has released v4.2.0 with updated go binary to go1.23.0. Bumping gomplate to v4.2.0 should be the final step to resolve this issue.

Locally, a dex image built with gomplate 4.2.0 reports nevertheless the CVE at usr/local/bin/gomplate!!! However, the CVE doesn't get reported when running trivy against hairyhenderson/gomplate:v4.2.0. It could be my local setup, although I doubt it. Any ideas?

dexidp / dex

CVE-2024-34156 #3732