search

karlderkaefer / cdk-notifier

CLI tool to post AWS CDK diff as comment to Github pull request
MIT License
122 stars 7 forks source link

Remediated CIRCL's Kyber: timing side-channel vulnerability GHSA-9763-4f94-gfch #166

Closed passbt closed 5 months ago

passbt commented 5 months ago

Updating circl package from 1.3.3 to version 1.3.7, which has fix for GHSA-9763-4f94-gfch

passbt commented 5 months ago

@karlderkaefer, any chance this can be pulled in or get some feedback soon?

Thanks

karlderkaefer commented 5 months ago

@passbt I check today

karlderkaefer commented 5 months ago

@passbt the indirect dependency comes from github api. 

go mod graph | grep github.com/cloudflare/circl
> github.com/google/go-github/v53@v53.2.0 github.com/cloudflare/circl@v1.3.3

this is removed in newest version. So it would be best if you update github api. If you update you also need to modify the imports https://github.com/karlderkaefer/cdk-notifier/blob/126c230932b489f0bf0412d5da1200005792ae88/provider/github.go#L8

If I should take over the upgrade let me know, but ofc your contribution would nice

karlderkaefer commented 5 months ago

was fixed in #106 and #169 github major version will be merged now automatically by renovate every month

karlderkaefer commented 5 months ago

issue is closed now, thanks for report! Screenshot 2024-06-01 at 11 44 44

passbt commented 5 months ago

@karlderkaefer, sweet. I appreciate your work and the details above.