Closed Freyert closed 4 months ago
Down to 3 vulnerabilities.
Vulnerability #1: GO-2023-2382
Denial of service via chunk extensions in net/http
More info: https://pkg.go.dev/vuln/GO-2023-2382
Standard library
Found in: net/http/internal@go1.21.3
Fixed in: net/http/internal@go1.21.5
Example traces found:
#1: test/tools/fake-apiserver/pkg/server/server.go:80:29: server.Server.ServeHTTP calls ioutil.ReadAll, which eventually calls internal.chunkedReader.Read
Vulnerability #2: GO-2023-2186
Incorrect detection of reserved device names on Windows in path/filepath
More info: https://pkg.go.dev/vuln/GO-2023-2186
Standard library
Found in: path/filepath@go1.21.3
Fixed in: path/filepath@go1.21.4
Example traces found:
#1: test/e2e/framework/helper/kubectl.go:49:16: helper.Kubectl.RunWithStdout calls exec.Cmd.Run, which eventually calls filepath.IsLocal
Vulnerability #3: GO-2023-2185
Insecure parsing of Windows paths with a \??\ prefix in path/filepath
More info: https://pkg.go.dev/vuln/GO-2023-2185
Fixed! (allegedly 😏 )
❯ govulncheck ./...
Scanning your code and 1237 packages across 124 dependent modules for known vulnerabilities...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 1 vulnerability
in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
meant to do this in my own fork sorry!
I've updated the k8s client libraries for everything.
It was fairly difficult, but a lot of it was just adjusting APIs.
👉 I tried to go commit by commit so it may be easier to understand the commit stream.
Run a
make build
to try it yourself.