Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump go packages to fix vuln CVE-2024-8421 #2314

Merged
merged 2 commits into from
Sep 11, 2024

Conversation

pjuarezd
Copy link
Member

@pjuarezd pjuarezd commented Sep 5, 2024

golang.org/x/net is the one with the vuln CWE-400 bumped from v0.26.0 to v0.29.0.

Other packages update is just to keep dependency tree in sync.

Vuln consist of golang.org/x/net is subject to Denial of Service (DoS), more details here https://ossindex.sonatype.org/vulnerability/CVE-2024-8421?component-type=golang&component-name=golang.org%2Fx%2Fnet&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.46

`golang.org/x/net` is the one with the vuln CWE-400 bumped  from `v0.26.0` to `v0.29.0`.

Other packages update is just to keep dependency tree in sync.

Vuln consist of golang.org/x/net is subject to Denial of Service (DoS), more details here
https://ossindex.sonatype.org/vulnerability/CVE-2024-8421?component-type=golang&component-name=golang.org%2Fx%2Fnet&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.46

Signed-off-by: pjuarezd <pjuarezd@users.noreply.github.com>
@pjuarezd pjuarezd self-assigned this Sep 5, 2024
@pjuarezd pjuarezd changed the title Bump go packages to fix vuln CWE-400 Bump go packages to fix vuln CVE-2024-8421 Sep 5, 2024
@pjuarezd
Copy link
Member Author

pjuarezd commented Sep 5, 2024

Update: No know fix yet, not idenfified vulnerable versions yet.

Although sonatype already assigns a CVE to the vulnerability in the package golang.org/x/net and CVE has been reseved by cve.org, there is no enough information to identiy vulnerable package versions nor a resolution on which version has a fix.

Possible action paths:

  • Temporarely ignore the vulnerability
  • Wait for a few days for a resolution

Important resources to keep an eye on this vulnerability

@pjuarezd
Copy link
Member Author

pjuarezd commented Sep 10, 2024

Update: added .nancy-ignore to this PR to ignore CVE-2024-8421 momentarely to allow the tests to run.

There is no resolution yet, and seems that this regression might be fixed already on golang.org/x/net to >= 0.22.0, also this PR updates golang.org/x/net to it's latest available version v0.29.0 in golang 1.22.7

@pjuarezd pjuarezd merged commit 6785830 into minio:master Sep 11, 2024
20 of 21 checks passed
@pjuarezd
Copy link
Member Author

turned out to be false alarm

@pjuarezd pjuarezd deleted the bump-packages-versions branch September 26, 2024 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants