Vulnerable Dependency (golang.org/x/crypto)

splunk / terraform-provider-splunk

Terraform Provider for Splunk

Mozilla Public License 2.0

103 stars 77 forks source link

Vulnerable Dependency (golang.org/x/crypto) #189

Closed dmitrykruglov closed 3 months ago

dmitrykruglov commented 4 months ago

Hi,

my company's security scanner has detected that the splunk terraform provider includes an old version of golang.org/x/crypto package that is affected by the CVE-2020-9283 vulnerability. It would be much appreciated if the package could be upgraded to v0.0.0-20200220183623-bac4c82f6975 , where the vulnerability is fixed.

benoittoulme commented 4 months ago

@rrossetti-splunk could you please review this or let us know who to contact to get it reviewed?

rrossetti-splunk commented 3 months ago

Fixed by #190 and released in version 1.4.24

benoittoulme commented 3 months ago

Thank you @rrossetti-splunk !