Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump github.com/hashicorp/go-retryablehttp to address CVE-2024-6104 #13081

Merged
merged 1 commit into from
Jun 28, 2024
Merged

Bump github.com/hashicorp/go-retryablehttp to address CVE-2024-6104 #13081

merged 1 commit into from
Jun 28, 2024

Conversation

nywilken
Copy link
Contributor

@nywilken nywilken commented Jun 28, 2024
edited
Loading

Before change

~>  govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-2947
    Leak of sensitive information to log files in
    github.com/hashicorp/go-retryablehttp
  More info: https://pkg.go.dev/vuln/GO-2024-2947
  Module: github.com/hashicorp/go-retryablehttp
    Found in: github.com/hashicorp/go-retryablehttp@v0.7.6
    Fixed in: github.com/hashicorp/go-retryablehttp@v0.7.7
    Example traces found:
      #1: hcl2template/function/vault.go:30:30: function.init calls template.Vault, which eventually calls retryablehttp.Client.Do

Your code is affected by 1 vulnerability from 1 module.

After Change

~>  govulncheck ./...
No vulnerabilities found.

Closes #13079

@nywilken
Bump github.com/hashicorp/go-retryablehttp to address CVE-2024-6104
4197915 
Before change
```
~>  govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-2947
    Leak of sensitive information to log files in
    github.com/hashicorp/go-retryablehttp
  More info: https://pkg.go.dev/vuln/GO-2024-2947
  Module: github.com/hashicorp/go-retryablehttp
    Found in: github.com/hashicorp/go-retryablehttp@v0.7.6
    Fixed in: github.com/hashicorp/go-retryablehttp@v0.7.7
    Example traces found:
      #1: hcl2template/function/vault.go:30:30: function.init calls template.Vault, which eventually calls retryablehttp.Client.Do

Your code is affected by 1 vulnerability from 1 module.
```

After Change
```
~>  govulncheck ./...
No vulnerabilities found.
```
@nywilken nywilken requested a review from a team as a code owner June 28, 2024 13:57
@nywilken nywilken added security Auto-pinning backport/1.11.x Backport PR changes to `release/1.11.x` labels Jun 28, 2024
@nywilken nywilken merged commit cceead8 into main Jun 28, 2024
13 checks passed
@hc-github-team-packer hc-github-team-packer mentioned this pull request Jun 28, 2024
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@JenGoldstrich JenGoldstrich JenGoldstrich approved these changes

Assignees
No one assigned
Labels
backport/1.11.x Backport PR changes to `release/1.11.x` security Auto-pinning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ CVE-2024-6104 ] Update github.com/hashicorp/go-retryablehttp package
2 participants
@nywilken @JenGoldstrich