grpcurl icon indicating copy to clipboard operation
grpcurl copied to clipboard

Published 20 hours ago verified publisher icon fullstorydev

Update to Go 1.18

Open scotthew1 opened this issue 3 years ago • 3 comments

It looks like #250 has been open for awhile now, but 1.18 has a particularly enticing change for macOS users.

From the change log:

crypto/x509

Certificate.Verify now uses platform APIs to verify certificate validity on macOS and iOS when it is called with a nil VerifyOpts.Roots or when using the root pool returned from SystemCertPool.

scotthew1 avatar Mar 28 '22 21:03 scotthew1

Same here. We are getting go package vulnerability CVE-2021-36221 as well. Please upgrade ASAP

nehalshah50 avatar Apr 04 '22 17:04 nehalshah50

Is there a plan to have this upgrade done soon? I've had to remove grpcurl from my docker image due to a dozen or so vulnerabilities in go in versions prior to 1.18.1.

scaswell-tsys avatar Jul 20 '22 18:07 scaswell-tsys

Just to be clear on the ask, you want the released binaries and images to be built with Go 1.18 so that the binaries have the CVEs addressed? You're not asking for a go.mod minimum version bump.

dragonsinth avatar Jul 20 '22 18:07 dragonsinth

Yes, I'm asking for the released binaries and images to be built on Go 1.18 to address the CVE.

On Wed, Jul 20, 2022 at 2:49 PM Scott Blum @.***> wrote:

Just to be clear on the ask, you want the released binaries and images to be built with Go 1.18 so that the binaries have the CVEs addressed? You're not asking for a go.mod minimum version bump.

— Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_fullstorydev_grpcurl_issues_300-23issuecomment-2D1190634522&d=DwMCaQ&c=Z4P52L0foFKAY1wcP-GmiQ&r=CfJc7E9Y5rcraXO6S6e5t3G1fc3xkM5N1A8qyKvsdys&m=f3yKN49C_yA9y0v120FZKvm0u0NWDTjM0JWE05jei4R_4ERMnf9IMpUD-bMQ6Upz&s=y2C0Dk-8XZzvmfXSUG1UyHJEK6cOq0KGluVlTw_ja7k&e=, or unsubscribe https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AY2BRLHW6PCL55DEH3YRQ6LVVBC4HANCNFSM5R4MFBKA&d=DwMCaQ&c=Z4P52L0foFKAY1wcP-GmiQ&r=CfJc7E9Y5rcraXO6S6e5t3G1fc3xkM5N1A8qyKvsdys&m=f3yKN49C_yA9y0v120FZKvm0u0NWDTjM0JWE05jei4R_4ERMnf9IMpUD-bMQ6Upz&s=4VxfRkKpTfIG5TLlVQ_54mC3UqltXDWxd0oumuZ4v1s&e= . You are receiving this because you commented.Message ID: @.***>

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.

scaswell-tsys avatar Oct 11 '22 07:10 scaswell-tsys

https://github.com/fullstorydev/grpcurl/releases/tag/v1.8.7

dragonsinth avatar Oct 11 '22 12:10 dragonsinth