sarama icon indicating copy to clipboard operation
sarama copied to clipboard

Published 20 hours ago verified publisher icon IBM

vulnerability [CVE-2022-27191]

Open mohit-angelone opened this issue 2 years ago • 6 comments

Versions

1.34.1

Sarama Kafka Go
Configuration

What configuration values are you using for Sarama and Kafka?

Logs

https://github.com/advisories/GHSA-8c26-wmh5-6g9v

logs: [CLICK ME](https://github.com/advisories/GHSA-8c26-wmh5-6g9v)

Problem Description

Bumping up golang.org/x/crypto dependency version removes this vulnerability

mohit-angelone avatar Jul 13 '22 12:07 mohit-angelone

Sarama doesn’t pull x/crypto as a direct dependency. We get it as an indirect dep via https://github.com/jcmturner/gokrb5 and so as a library we can’t control its version. We either need gokrb5 to tag a new release with a suitable bump in x/crypto or you as a consumer of us can add a replace directive in your application go.mod to force a new version to be used

dnwe avatar Jul 14 '22 09:07 dnwe

@dnwe https://github.com/jcmturner/gokrb5/blob/master/v8 uses c6db032c6c88 which is latest than 86341886e292 (addresses vulnerability with fix) so using latest tag shall address the vulnerability.

what do you suggest?

mohit-angelone avatar Jul 14 '22 09:07 mohit-angelone

Yes it was me who submitted the PR to bump it originally here, but I was awaiting a tagged release before bumping the dependency

dnwe avatar Jul 14 '22 09:07 dnwe

As mentioned on that PR, it’s really a false positive because the ssh pkg isn’t used at all, so is only flagged by vuln scanners which don’t look at the whole import paths

dnwe avatar Jul 14 '22 09:07 dnwe

ok then for now I am proceeding ahead with replace solution.

mohit-angelone avatar Jul 14 '22 10:07 mohit-angelone

Yes it was me who submitted the PR to bump it originally here, but I was awaiting a tagged release before bumping the dependency

Hi, reaching out because our repo is marked vulnerable due to this crypto version, is Sarama planning a release with the fixed version? Thanks!

qingyashu avatar Aug 11 '22 21:08 qingyashu

Thank you for taking the time to raise this issue. However, it has not had any activity on it in the past 90 days and will be closed in 30 days if no updates occur. Please check if the main branch has already resolved the issue since it was raised. If you believe the issue is still valid and you would like input from the maintainers then please comment to ask for it to be reviewed.

github-actions[bot] avatar Aug 17 '23 14:08 github-actions[bot]

This was already resolved

dnwe avatar Aug 17 '23 16:08 dnwe