dexidp
CVE-2024-34156
Preflight Checklist
- [X] I agree to follow the Code of Conduct that this project adheres to.
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I am not looking for support or already pursued the available support channels without success.
Version
2.41.1
Storage Type
Kubernetes
Installation Type
Official container image
Expected Behavior
High/Critical vulnerability-free docker image
Actual Behavior
CVE-2024-34156 has been published against the stdlib lib in go binaries and is found by trivy in docker image v2.41.1 which has go1.22.5
Steps To Reproduce
Running trivy image -v dexidp/dex:latest-alpine yields
Additional Information
The fix has been released in go1.22.7 and go1.23.1. Would you prefer to just bump to go1.22.7 since the latest minor updates g1.23.1 is still very recent?
Configuration
No response
Logs
No response
We are not using encoding/gob anywhere nor our code dependencies, so the CVE is not applicable. The new version of Dex will be released by the end of the month with all the CVE fixes.
@nabokihms gomplate has released v4.2.0 with updated go binary to go1.23.0. Bumping gomplate to v4.2.0 should be the final step to resolve this issue.
~Locally, a dex image built with gomplate 4.2.0 reports nevertheless the CVE at usr/local/bin/gomplate!!! However, the CVE doesn't get reported when running trivy against hairyhenderson/gomplate:v4.2.0. It could be my local setup, although I doubt it. Any ideas?~ It is working. It was probably a caching problem in the local setup.