custom-metrics-apiserver icon indicating copy to clipboard operation
custom-metrics-apiserver copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

CVE-2023-45142 affects the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 indirect dependency

Open priyaselvaganesan opened this issue 2 years ago • 6 comments
trafficstars

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-45142

Is this repository using the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency actively? If so, can you give a time frame on resolving the CVE?

priyaselvaganesan avatar Oct 26 '23 17:10 priyaselvaganesan

This repository does not use otelhttp, but I think it is still a good idea to bump the version.

dashpole avatar Nov 02 '23 16:11 dashpole

/assign @dgrisonnet /triage accepted

dashpole avatar Nov 02 '23 16:11 dashpole

Hi, Any plans on updating the otelhttp package?

manikantanallagatla avatar Dec 12 '23 11:12 manikantanallagatla

https://github.com/kubernetes-sigs/custom-metrics-apiserver/pull/161

dashpole avatar Dec 12 '23 15:12 dashpole

This repo is not directly affected by that vulnerability, so we don't have any timeline for fixing it.

@manikantanallagatla would you perhaps be interested in sending a PR to bump the k8s versions and the otel dep?

dgrisonnet avatar Dec 13 '23 15:12 dgrisonnet

Open a PR https://github.com/kubernetes-sigs/custom-metrics-apiserver/pull/162 to fix it

liangyuanpeng avatar Dec 24 '23 04:12 liangyuanpeng

/close

It's in 1.29.0 already

CatherineF-dev avatar May 06 '24 19:05 CatherineF-dev

@CatherineF-dev: Closing this issue.

In response to this:

/close

It's in 1.29.0 already

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar May 06 '24 19:05 k8s-ci-robot