search

go-kit / kit

A standard library for microservices.
https://gokit.io
MIT License
26.35k stars 2.42k forks source link

Update go.etcd.io/etcd/client/v3 to fix vulnerability issue CVE-2022-34038 #1272

Closed malfple closed 10 months ago

malfple commented 10 months ago

This PR updates go.etcd.io/etcd/client/v3 to fix vulnerability issue CVE-2022-34038

Done by running:

go get -u go.etcd.io/etcd/client/v3
go mod tidy

When doing go mod tidy, I run into issues that would require updating libs for go 1.16 compatibility. Here are some of the messages:

...
github.com/go-kit/kit/metrics/pcp imports
        github.com/performancecopilot/speed/v4 imports
        github.com/HdrHistogram/hdrhistogram-go tested by
        github.com/HdrHistogram/hdrhistogram-go.test imports
        gonum.org/v1/gonum/stat/distuv imports
        gonum.org/v1/gonum/stat imports
        gonum.org/v1/gonum/mat imports
        gonum.org/v1/gonum/blas/blas64 imports
        gonum.org/v1/gonum/blas/gonum imports
        gonum.org/v1/gonum/internal/cmplx64 loaded from gonum.org/v1/gonum@v0.8.2,
        but go 1.16 would select v0.11.0
github.com/go-kit/kit/metrics/pcp imports
        github.com/performancecopilot/speed/v4 imports
        github.com/HdrHistogram/hdrhistogram-go tested by
        github.com/HdrHistogram/hdrhistogram-go.test imports
        gonum.org/v1/gonum/stat/distuv imports
        gonum.org/v1/gonum/stat imports
        gonum.org/v1/gonum/mat imports
        gonum.org/v1/gonum/blas/blas64 imports
        gonum.org/v1/gonum/blas/gonum imports
        gonum.org/v1/gonum/internal/math32 loaded from gonum.org/v1/gonum@v0.8.2,
        but go 1.16 would select v0.11.0

To upgrade to the versions selected by go 1.16:
        go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
        go mod tidy -compat=1.17
For other options, see:
        https://golang.org/doc/modules/pruning

Selected the first option to upgrade to the versions selected by go 1.16

Issue https://github.com/go-kit/kit/issues/1271

peterbourgon commented 10 months ago 
Error: ../../../go/pkg/mod/go.uber.org/multierr@v1.11.0/error.go:209:20: undefined: atomic.Bool
note: module requires Go 1.19
malfple commented 10 months ago

Hi @peterbourgon leaving an update. Our partner that was supposed to detect the vulnerability has decided that this is no longer a vulnerability and we no longer need this change. In addition to your help in pointing out that some of the new libs I added requires go 1.19, I will be closing this PR. Thanks!