Critical Golang vulnerability in v0.13.2

hashicorp / envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.

https://www.hashicorp.com/

Mozilla Public License 2.0

2.01k stars 189 forks source link

Critical Golang vulnerability in v0.13.2 #362

Open mdfst opened 5 months ago

mdfst commented 5 months ago

Envconsul version

/usr/local/bin/envconsul --version
envconsul v0.13.2 (dd416ce)

Which is the latest release available https://github.com/hashicorp/envconsul/releases

Contains critical golang vulnerability

usr/local/bin/envconsul (gobinary)
==================================
Total: 1 (CRITICAL: 1)

Installed version: 1.20.4    
Fixed Version: 1.21.11, 1.22.4

https://nvd.nist.gov/vuln/detail/CVE-2024-24790 https://github.com/golang/go/issues/67680

marrws commented 4 months ago

Related to #324

marrws commented 3 months ago

@armon @catsby @ryanuber @hc-github-team-es-release-engineering I'm really sorry for the ping but this is important.

Can we get a new release so the vulnerabilities don't keep piling up?

marrws commented 2 months ago

Sorry to ping you directly @NicoletaPopoviciu

Can we get a new release so the vulnerabilities don't keep piling up?

marrws commented 2 months ago

Sorry to ping you directly @dhiaayachi

Can we get a new release so the vulnerabilities don't keep piling up?

chris-peterson commented 1 month ago

I hate to respond with "+1", but I'm also in need of a release.

a container I'm using envconsul in got dinged for CVE-2022-23806 (and related)

I believe these would all be resolved by republishing anything after go updated

noahtrilling commented 2 weeks ago

According to the CODEOWNERS file in this repository, the Consul team are the owners of envconsul. Since the issues in this repository seem unmonitored, I've created an issue in the Consul repository to get the vulnerabilities addressed.

Consul #21879

1FastSTi commented 4 days ago

Also CVE-2023-45288