Skip to content

Update dependecies to fix CVEs #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

Update dependecies to fix CVEs #64

merged 1 commit into from
Sep 9, 2025
+31 −33

Conversation

@turkenf
Copy link
Collaborator

@turkenf turkenf commented Sep 9, 2025

Description of your changes

This PR updates dependencies to fix CVEs

NAME                        INSTALLED         FIXED IN                      TYPE       VULNERABILITY        SEVERITY    EPSS           RISK
stdlib                      go1.21.3          1.21.9, 1.22.2                go-module  CVE-2023-45288       High        66.6% (98th)   50.0
golang.org/x/net            v0.19.0           0.23.0                        go-module  GHSA-4v7x-pqxf-cx7m  Medium      66.6% (98th)   34.3
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-5535        Critical    7.8% (91st)    7.1
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-5535        Critical    7.8% (91st)    7.1
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-2511        Medium      2.1% (83rd)    1.2
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-2511        Medium      2.1% (83rd)    1.2
stdlib                      go1.21.3          1.21.8, 1.22.1                go-module  CVE-2024-24784       High        1.5% (80th)    1.1
stdlib                      go1.21.3          1.21.10, 1.22.3               go-module  CVE-2024-24787       Medium      1.6% (80th)    0.9
libc6                       2.31-13+deb11u10  (won't fix)                   deb        CVE-2023-4806        Medium      1.1% (76th)    0.6
stdlib                      go1.21.3          1.21.12, 1.22.5               go-module  CVE-2024-24791       High        0.6% (69th)    0.5
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-9143        Medium      0.7% (69th)    0.3
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-9143        Medium      0.7% (69th)    0.3
libc6                       2.31-13+deb11u10  2.31-13+deb11u12              deb        CVE-2025-0395        High        0.3% (56th)    0.3
stdlib                      go1.21.3          1.21.8, 1.22.1                go-module  CVE-2024-24783       Medium      0.4% (62nd)    0.2
stdlib                      go1.21.3          1.21.8, 1.22.1                go-module  CVE-2023-45290       Medium      0.4% (57th)    0.2
stdlib                      go1.21.3          1.21.8, 1.22.1                go-module  CVE-2023-45289       Medium      0.4% (60th)    0.2
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-0727        Medium      0.3% (55th)    0.2
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-0727        Medium      0.3% (55th)    0.2
libc6                       2.31-13+deb11u10  (won't fix)                   deb        CVE-2023-4813        Medium      0.3% (53rd)    0.2
google.golang.org/protobuf  v1.32.0           1.33.0                        go-module  GHSA-8r3f-844c-mc37  Medium      0.2% (45th)    0.1
stdlib                      go1.21.3          1.22.7, 1.23.1                go-module  CVE-2024-34156       High        0.2% (39th)    0.1
stdlib                      go1.21.3          1.21.8, 1.22.1                go-module  CVE-2024-24785       Medium      0.2% (47th)    0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2018-20796       Negligible  2.0% (82nd)    < 0.1
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-4741        High        0.1% (31st)    < 0.1
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2024-4741        High        0.1% (31st)    < 0.1
stdlib                      go1.21.3          1.21.11, 1.22.4               go-module  CVE-2024-24790       Critical    < 0.1% (26th)  < 0.1
stdlib                      go1.21.3          1.22.7, 1.23.1                go-module  CVE-2024-34158       High        < 0.1% (24th)  < 0.1
golang.org/x/oauth2         v0.11.0           0.27.0                        go-module  GHSA-6v2p-p543-phr9  High        < 0.1% (23rd)  < 0.1
stdlib                      go1.21.3          1.22.7, 1.23.1                go-module  CVE-2024-34155       Medium      0.1% (30th)    < 0.1
stdlib                      go1.21.3          1.23.12, 1.24.6               go-module  CVE-2025-47907       High        < 0.1% (18th)  < 0.1
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2023-5678        Medium      < 0.1% (24th)  < 0.1
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u2              deb        CVE-2023-5678        Medium      < 0.1% (24th)  < 0.1
stdlib                      go1.21.3          1.20.12, 1.21.5               go-module  CVE-2023-45285       High        < 0.1% (17th)  < 0.1
libssl1.1                   1.1.1w-0+deb11u1  1.1.1w-0+deb11u3              deb        CVE-2024-13176       Medium      < 0.1% (24th)  < 0.1
openssl                     1.1.1w-0+deb11u1  1.1.1w-0+deb11u3              deb        CVE-2024-13176       Medium      < 0.1% (24th)  < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2019-1010023     Negligible  0.7% (71st)    < 0.1
stdlib                      go1.21.3          1.20.12, 1.21.5               go-module  CVE-2023-39326       Medium      < 0.1% (14th)  < 0.1
stdlib                      go1.21.3          1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45336       Medium      < 0.1% (11th)  < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2019-1010024     Negligible  0.4% (58th)    < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2010-4756        Negligible  0.4% (58th)    < 0.1
stdlib                      go1.21.3          1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45341       Medium      < 0.1% (7th)   < 0.1
stdlib                      go1.21.3          1.23.8, 1.24.2                go-module  CVE-2025-22871       Critical    < 0.1% (1st)   < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2019-1010025     Negligible  0.2% (46th)    < 0.1
stdlib                      go1.21.3          1.23.10, 1.24.4               go-module  CVE-2025-4673        Medium      < 0.1% (3rd)   < 0.1
libc6                       2.31-13+deb11u10  (won't fix)                   deb        CVE-2025-8058        Medium      < 0.1% (3rd)   < 0.1
golang.org/x/net            v0.19.0           0.38.0                        go-module  GHSA-vvgc-356p-c3xw  Medium      < 0.1% (3rd)   < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2019-9192        Negligible  0.2% (37th)    < 0.1
libc6                       2.31-13+deb11u10                                deb        CVE-2019-1010022     Negligible  0.1% (35th)    < 0.1
golang.org/x/net            v0.19.0           0.36.0                        go-module  GHSA-qxp5-gwg8-xv66  Medium      < 0.1% (2nd)   < 0.1
libc6                       2.31-13+deb11u10  2.31-13+deb11u13              deb        CVE-2025-4802        High        < 0.1% (0th)   < 0.1
stdlib                      go1.21.3          1.22.12, 1.23.6, 1.24.0-rc.3  go-module  CVE-2025-22866       Medium      < 0.1% (1st)   < 0.1
stdlib                      go1.21.3          1.23.11, 1.24.5               go-module  CVE-2025-4674        High        < 0.1% (0th)   < 0.1
stdlib                      go1.21.3          1.21.11, 1.22.4               go-module  CVE-2024-24789       Medium      < 0.1% (0th)   < 0.1
libssl1.1                   1.1.1w-0+deb11u1                                deb        CVE-2025-27587       Negligible  < 0.1% (18th)  < 0.1
openssl                     1.1.1w-0+deb11u1                                deb        CVE-2025-27587       Negligible  < 0.1% (18th)  < 0.1

I have:

turkenh
turkenh approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@turkenh turkenh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@turkenf
Update dependecies to fix CVEs
db4a9d7 
Signed-off-by: Fatih Türken <turkenf@gmail.com>
@turkenh turkenh merged commit 6033760 into crossplane-contrib:main Sep 9, 2025
6 checks passed
@turkenf turkenf deleted the fix-CVEs branch September 9, 2025 10:47
@github-actions
Copy link

github-actions bot commented Sep 9, 2025

Backport failed for release-0.2, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-0.2
git worktree add -d .worktree/backport-64-to-release-0.2 origin/release-0.2
cd .worktree/backport-64-to-release-0.2
git switch --create backport-64-to-release-0.2
git cherry-pick -x db4a9d70d589f4e353be88c469d8658b3cf8b8db

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turkenh turkenh turkenh approved these changes

@bobh66 bobh66 Awaiting requested review from bobh66 bobh66 is a code owner

Assignees

No one assigned

Labels

backport release-0.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@turkenf @turkenh