Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump golang.org/x/crypto & golang.org/x/text deps to address CVEs #337

Merged
merged 1 commit into from
Apr 27, 2022
Merged

bump golang.org/x/crypto & golang.org/x/text deps to address CVEs #337

merged 1 commit into from
Apr 27, 2022

Conversation

finnigja
Copy link
Contributor

This change bumps golang.org/x/crypto and golang.org/x/text dependencies to address CVE-2022-27291 and CVE-2021-38561 respectively.

Proposed changes are the result of running in the vault-k8s root:

go get -u golang.org/x/crypto
go get -u golang.org/x/text
go mod tidy

There's no known exposure of this issues within the vault-k8s context, but adopting updates for hygiene sake & to reduce vulnerability scanner noise. For example, Trivy results from the current release:

$ trivy fs --ignore-unfixed vault-k8s
[snip]
 
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20210220033148-5ea612d1eb83 | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/text   | CVE-2021-38561   | UNKNOWN  | v0.3.6                             | 0.3.7                             | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

@finnigja finnigja requested a review from tvoran April 27, 2022 15:34
swenson
swenson approved these changes Apr 27, 2022
View reviewed changes
Copy link

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@swenson swenson merged commit 86684e6 into main Apr 27, 2022
@swenson swenson deleted the bump_deps branch April 27, 2022 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson approved these changes

@tvoran tvoran Awaiting requested review from tvoran

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@finnigja @swenson