search

dhiaayachi / temporal

Temporal service
https://docs.temporal.io
MIT License
0 stars 0 forks source link

Vulnerability identified in otelgrpc package < 0.46.0 #202

Open dhiaayachi opened 2 weeks ago

dhiaayachi commented 2 weeks ago

Hi,

There is a security vulnerability identified and reported in go package go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (as mentioned here). This vulnerability is fixed in version 0.46.0. We observed that the latest temporal version i.e. 1.22.4 still uses an affected version of the package i.e. 0.42.0. Do you have an estimate on when the next release will be available which will have the fix for the reported vulnerability?

Thanks.

dhiaayachi commented 3 days ago

Hi,

Thanks for reporting this security vulnerability. We are aware of the vulnerability reported in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc and are actively working on upgrading to a fixed version.

We will release a new Temporal version with the fix as soon as possible. You can follow our releases and updates on our GitHub releases page.

In the meantime, we suggest you consider upgrading to the latest version of the go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc package.

dhiaayachi commented 3 days ago

Hi,

Thanks for reporting this. We're aware of the vulnerability you're referencing and we are actively working to address it in an upcoming release.

For now, you can upgrade the go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency in your project to version 0.46.0 or later. Please refer to the Temporal documentation for details on upgrading Temporal.

We'll let you know when the next Temporal release with the fix is available.

dhiaayachi commented 3 days ago

Hi,

Thank you for reporting this security vulnerability.

We are aware of the issue reported in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc and are working on upgrading the package to the latest version in an upcoming Temporal release. In the meantime, you can consider upgrading the go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc package in your application to version 0.46.0 or later.

We will keep you updated on the release schedule.

dhiaayachi commented 3 days ago

Hi there,

Thank you for reporting this vulnerability. We are aware of the security vulnerability reported in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. The Temporal team is actively working on upgrading the package to version 0.46.0. We will release a new version of Temporal as soon as possible. In the meantime, you can consider pinning the go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc package to version 0.46.0 in your project.

We will update our documentation with the release date and version number once the new version is available.

We appreciate your patience and understanding.

dhiaayachi commented 2 days ago

Thank you for reporting this security vulnerability. We are aware of the issue and are working on a fix. We will update the Temporal documentation with the new release information once it's available. In the meantime, we recommend upgrading your Temporal installation to a version that includes the fix.