Closed pjonsson closed 4 months ago
Security scanners such as Trivy will flag the 1.28.0 release binary with CVE-2023-39325.
The main branch seems to use updated libraries, so making a release should fix this issue.
Run Trivy on any Docker image that contains the release binary:
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-39325 │ HIGH │ fixed │ v0.11.0 │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ └──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
The new release v1.28.1 should fix this.
Describe the issue
Security scanners such as Trivy will flag the 1.28.0 release binary with CVE-2023-39325.
The main branch seems to use updated libraries, so making a release should fix this issue.
To reproduce
Run Trivy on any Docker image that contains the release binary:
Your environment