[ CVE-2024-6104 ] Update github.com/hashicorp/go-retryablehttp package

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.

http://www.packer.io

Other

15.06k stars 3.32k forks source link

[ CVE-2024-6104 ] Update github.com/hashicorp/go-retryablehttp package #13079

Closed kalpanathanneeru21 closed 3 months ago

kalpanathanneeru21 commented 3 months ago

Currently we are observing security vulnerability with packer.

Packer Version : 1.10.3 / v1.11.0 CVE- CVE-2024-6104 Severity : MEDIUM

"vulnerabilities": [
[2024-06-28T07:32:13.641Z]         {
[2024-06-28T07:32:13.641Z]           "vulnerability_id": "CVE-2024-6104",
[2024-06-28T07:32:13.641Z]           "severity": "MEDIUM",
[2024-06-28T07:32:13.641Z]           "pkg_name": "github.com/hashicorp/go-retryablehttp",
[2024-06-28T07:32:13.641Z]           "pkg_path": "",
[2024-06-28T07:32:13.641Z]           "installed_version": "v0.7.0",
[2024-06-28T07:32:13.641Z]           "fixed_version": "0.7.7",
[2024-06-28T07:32:13.641Z]           "cvss_v2_score": "",
[2024-06-28T07:32:13.641Z]           "cvss_v3_score": "5.5",
[2024-06-28T07:32:13.641Z]           "status_summary": {
[2024-06-28T07:32:13.641Z]             "priority": "INFO",
[2024-06-28T07:32:13.641Z]             "status": "WARNING"
[2024-06-28T07:32:13.641Z]           }
[2024-06-28T07:32:13.641Z]         }
[2024-06-28T07:32:13.641Z]       ],

So wanted to any plan on releasing patch for this in next release. if not when can we expect release with this patch.

github-actions[bot] commented 3 months ago

Hi 👋 thanks for reaching out.

For general questions we recommend reaching out to the [community forum](https://discuss.hashicorp.com/c/packer) for greater visibility.
As the GitHub issue tracker is only watched by a small subset of maintainers and is really reserved for bugs and enhancements, you'll have a better chance of finding someone who can help you in the forum.
We'll mark this issue as needs-reply to help inform maintainers that this question is awaiting a response.
If no activity is taken on this question within 30 days it will be automatically closed.

If you find the forum to be more helpful or if you've found the answer to your question elsewhere please feel free to post a response and close the issue.

nywilken commented 3 months ago

Thanks for bubbling up this issue. A pull-request has been to address this vulnerability - a subsequent change has been made to the Packer SDK, as well. We will release Packer 1.11.1 next week. Given our LTS support model we will only update the latest version of Packer, and will not back port to 1.10.3.

github-actions[bot] commented 2 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.