search

kubernetes-sigs / custom-metrics-apiserver

Framework for implementing custom metrics support for Kubernetes
Apache License 2.0
499 stars 175 forks source link

CVE-2023-45142 affects the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 indirect dependency #160

Closed priyaselvaganesan closed 4 months ago

priyaselvaganesan commented 10 months ago

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-45142

Is this repository using the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency actively? If so, can you give a time frame on resolving the CVE?

dashpole commented 10 months ago

This repository does not use otelhttp, but I think it is still a good idea to bump the version.

dashpole commented 10 months ago

/assign @dgrisonnet /triage accepted

manikantanallagatla commented 9 months ago

Hi, Any plans on updating the otelhttp package?

dashpole commented 9 months ago

https://github.com/kubernetes-sigs/custom-metrics-apiserver/pull/161

dgrisonnet commented 9 months ago

This repo is not directly affected by that vulnerability, so we don't have any timeline for fixing it.

@manikantanallagatla would you perhaps be interested in sending a PR to bump the k8s versions and the otel dep?

liangyuanpeng commented 8 months ago

Open a PR https://github.com/kubernetes-sigs/custom-metrics-apiserver/pull/162 to fix it

CatherineF-dev commented 4 months ago

/close

It's in 1.29.0 already

k8s-ci-robot commented 4 months ago

@CatherineF-dev: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/custom-metrics-apiserver/issues/160#issuecomment-2096764668): >/close > >It's in 1.29.0 already Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.