search

kubernetes-sigs / aws-iam-authenticator

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
Apache License 2.0
2.17k stars 416 forks source link

[Public security vulnerability]: update dependency versions please #719

Open squeakymouse opened 2 months ago

squeakymouse commented 2 months ago

What would you like to be added?

Could you please update the golang.org/x/net version to 0.23.0, and then release a new version of aws-iam-authenticator after that? Due to security vulnerabilities found from the latest 0.6.14 version.

Why is this needed?

Security scan results from a Docker image that uses the latest 0.6.14 version of aws-iam-authenticator have highlighted the CVE-2023-45288 vulnerability in the golang.org/x/net dependency, and the CVE-2024-24786 vulnerability in the google.golang.org/protobuf dependency. (I think the google.golang.org/protobuf version pinned in the code is up-to-date enough, but the latest released version of aws-iam-authenticator is not using this yet.)

Anything else we need to know?

No response

bryantbiggs commented 2 months ago

Looks like there was just a release that should have this fix in it https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/tag/v0.6.20