Upgrade to go 1.21.2+ - Githubissues

fullstorydev / grpcurl

Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers

MIT License

10.36k stars 497 forks source link

Upgrade to go 1.21.2+ #422

Open vinsonxing opened 8 months ago

vinsonxing commented 8 months ago

Hi,

Do you have plan to upgrade the golang version to 1.21.2+ (currently the grpcurl 1.8.9 is built on top of golang 1.21.1)? In our security scanning, we get a Critical issue in 1.21.1 (CVE-2023-39323)

Thanks

gfrankliu commented 8 months ago

Our scanner also complained https://nvd.nist.gov/vuln/detail/CVE-2023-44487 due to go 1.21.1

Apart from go, there is also grpc version that needs to be upgraded: https://github.com/advisories/GHSA-m425-mq94-257g

lokeshmavale commented 8 months ago

Same, Critical issue with: https://github.com/advisories/GHSA-m425-mq94-257g

vinsonxing commented 7 months ago

will this be fixed in a new version? what's the timeline?

dragonsinth commented 7 months ago

There's no threat model for either of these vulns for gRPCurl. So we have no urgency to address them.

enakshipriya commented 4 months ago

I am not raising another issue because I found this open one. Even in our case we are getting security vuln due the below CVE-ids which require upgrade to golang version 1.21.2+

CVE-2023-39323 CVE-2023-45285 CVE-2023-45283 CVE-2023-39325 CVE-2023-45284 CVE-2023-39326