Go version 1.19 has critical vulnerabilities.

minio / mc

Unix like utilities for object store

https://min.io/download

GNU Affero General Public License v3.0

2.86k stars 548 forks source link

Go version 1.19 has critical vulnerabilities. #4772

Closed SametOzenc closed 11 months ago

SametOzenc commented 11 months ago

Environmental Info: RELEASE.2023-11-20T16-30-59Z

The go version of 1.19 has a critical vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2023-39323 https://nvd.nist.gov/vuln/detail/CVE-2023-29405 https://nvd.nist.gov/vuln/detail/CVE-2023-29402 https://nvd.nist.gov/vuln/detail/CVE-2023-29404 https://nvd.nist.gov/vuln/detail/CVE-2023-24540 https://nvd.nist.gov/vuln/detail/CVE-2023-24538

mc need to update go-version to 1.20.9 or 1.21.2 where in the fix is available

harshavardhana commented 11 months ago

What are you talking about? We compile and release our binaries with Go 1.21.4

All our ci/cd builds with go1.21.4 - yes our go.mod however points to go1.19 for good reasons to ensure that mc can be compiled from. Two current releases and one older.

Closing this issue.