Closed DonSealy closed 1 year ago
Go kit expresses a dependency on the module google.golang.org/grpc at version v1.40.0. The latest version of that module is currently v1.51.0. These two versions share a major version number, and so Go modules treats them as compatible during version resolution, and applications that (correctly) assert that later version will receive it.
Happy to review and approve a PR that bumps the grpc module version as suggested, assuming tests pass and etc. But that's a nice-to-have, if it doesn't happen it's not any kind of vulnerability. See e.g. #1250.
What would you like?
It appears that kit/transport/grpc is vulnerable to the attack outlined in CVE-2022-41717 due to the package dependency on the Go gRPC implementation. Can go-kit be updated to leverage fixes for this vulnerability? It is fixed in Go minor releases 1.18.9 and 1.19.4.