Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Found security vulnerabilities in go 1.16 #2222

Closed
abhi-vaidya opened this issue Oct 28, 2021 · 3 comments · Fixed by #2329
Closed

Found security vulnerabilities in go 1.16 #2222

abhi-vaidya opened this issue Oct 28, 2021 · 3 comments · Fixed by #2329

Comments

@abhi-vaidya
Copy link

keda/go.mod

Line 3 in f78c16e

go 1.16

Hello,

We are using this repository for internal development and security appliance scan found severe vulnerabilities in go 1.16.
https://nvd.nist.gov/vuln/detail/CVE-2021-29923. Which is being fixed in go 1.17. Is there any plan to update it to go 1.17.

@zroubalik zroubalik added this to the v2.5.0 milestone Nov 1, 2021
@zroubalik
Copy link
Member

zroubalik commented Nov 1, 2021

@abhi-vaidya thanks for reporting this. We have just updated go from 1.15 -> 1.16 for the upcoming release.

As per this golang/go#30999 (comment) the situation is not nearly so clear cut. So I am leaning towards not to the update now but keep it open for some subsequent releases. So we don't do the update from 1.15->1.17 in one release.

Is there any particular problem that you are facing with this CVE?

@zroubalik zroubalik removed this from the v2.5.0 milestone Nov 1, 2021
@abhi-vaidya
Copy link
Author

abhi-vaidya commented Nov 23, 2021

@zroubalik would you be able to provide eta on updating go version to 1.17 please. Our security scanner has reported that it is a high level risk so we need to update it to 1.17 as soon as possible.

@zroubalik
Copy link
Member

@abhi-vaidya we are planning to release KEDA 2.5.0 tomorrow (currently go 1.16). Then next release is at the moment scheduled to February 2022. You can check milestones: https://github.com/kedacore/keda/milestones

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants