Critical Golang vulnerability in v0.13.2

hashicorp / envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.

https://www.hashicorp.com/

Mozilla Public License 2.0

2.01k stars 190 forks source link

Critical Golang vulnerability in v0.13.2 #362

Open mdfst opened 3 months ago

mdfst commented 3 months ago

Envconsul version

/usr/local/bin/envconsul --version
envconsul v0.13.2 (dd416ce)

Which is the latest release available https://github.com/hashicorp/envconsul/releases

Contains critical golang vulnerability

usr/local/bin/envconsul (gobinary)
==================================
Total: 1 (CRITICAL: 1)

Installed version: 1.20.4    
Fixed Version: 1.21.11, 1.22.4

https://nvd.nist.gov/vuln/detail/CVE-2024-24790 https://github.com/golang/go/issues/67680

marrws commented 3 months ago

Related to #324

marrws commented 2 months ago

@armon @catsby @ryanuber @hc-github-team-es-release-engineering I'm really sorry for the ping but this is important.

Can we get a new release so the vulnerabilities don't keep piling up?

marrws commented 1 month ago

Sorry to ping you directly @NicoletaPopoviciu

Can we get a new release so the vulnerabilities don't keep piling up?

marrws commented 1 month ago

Sorry to ping you directly @dhiaayachi

Can we get a new release so the vulnerabilities don't keep piling up?

chris-peterson commented 1 week ago

I hate to respond with "+1", but I'm also in need of a release.

a container I'm using envconsul in got dinged for CVE-2022-23806 (and related)

I believe these would all be resolved by republishing anything after go updated