Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include old golang.org/x/crypto package with CRITICAL CVE-2024-45337 in v1.9.3 #3397

Open
cmontemuino opened this issue Dec 17, 2024 · 1 comment
Open

Include old golang.org/x/crypto package with CRITICAL CVE-2024-45337 in v1.9.3 #3397

cmontemuino opened this issue Dec 17, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@cmontemuino
Copy link

Describe the bug

Summary from Trivy scan:

Vulnerability information: 
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+
|              Type              |           Library           | Severity | Installed Version | Fixed Version |                                  Summary                                   |                More Details                |
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+
|  bin/argo-events (gobinary)    | golang.org/x/crypto (None)  | CRITICAL |      v0.29.0      |     0.31.0    | Applications and libraries which misuse the ServerConfig.PublicKeyCall ... | https://avd.aquasec.com/nvd/cve-2024-45337 |
| usr/local/bin/argo (gobinary)  | golang.org/x/crypto (None)  | CRITICAL |      v0.24.0      |     0.31.0    | Applications and libraries which misuse the ServerConfig.PublicKeyCall ... | https://avd.aquasec.com/nvd/cve-2024-45337 |
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+

To Reproduce

N/A

Expected behavior

No CRITICAL vulnerabilities found,

Screenshots
N/A

Environment (please complete the following information):

  • Argo Events: v1.9.3

Additional context
N/A

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
@cmontemuino cmontemuino added the bug Something isn't working label Dec 17, 2024
@cmontemuino
Copy link
Author

The package has been upgraded in #3390

Would it be possible to release v1.9.4 as a security patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cmontemuino