Closed eli-darkly closed 2 years ago
eli-darkly
commented
2 years ago Update: it may take a bit longer to fix this than we had hoped, because there is an indirect reference to the older AWS SDK in the old Google Cloud (a.k.a. Stackdriver) metrics integration package... which we can't get away from until we migrate from OpenCensus to OpenTelemetry for metrics. We had planned to do the latter anyway, but it's a bigger code change.
eli-darkly
commented
2 years ago Another update:
The OpenTelemetry work I mentioned above is still ongoing, and is probably for a 7.0.0 release rather than 6.x.
So, in order to be able to have clean security scans in 6.x, we're simply forking the problematic OpenCensus library and removing the AWS SDK v1 dependency from it (which wasn't actually being used). This change will be in a v6.7.14 patch release and should not affect any Relay Proxy functionality.
eli-darkly
commented
2 years ago Fixed in the 6.7.14 release.
LD has opened this issue to let everyone know that we're aware of these vulnerability reports, and we will release a patch version of our Docker image to address these as soon as possible:
It's our policy to make any necessary dependency/platform updates for such issues no matter what, but we also look into the details to determine how much of an actual risk these represent, if any, to Relay Proxy installations that are currently running. Here is our analysis:
Addressing these warnings will require updating to the v2 AWS SDK in Relay Proxy as well as in the LaunchDarkly Go SDK's DynamoDB integration.