terraform
terraform copied to clipboard
hashicorp
update golang.org/x/net, addressing CVE-2023-45288
This adopts the 0.23.0 version of the golang.org/x/net library (moving from current 0.22.0), which includes a fix for CVE-2023-45288.
While, per govulncheck, the Terraform codebase does interact with affected components of this library, Terraform is unlikely to be exposed due to the vulnerability being in the context of an HTTP/2 endpoint that consumes header data.
The changes between the two releases appear to be largely HTTP/2 related, per https://github.com/golang/net/compare/v0.22.0...v0.23.0.
Target Release
1.8.x
Draft CHANGELOG entry
BUG FIXES
Updated to new golang.org/x/net release, which addressed CVE-2023-45288.
FYI this may not backport correctly and will probably need to be recreated for the v1.8 branch (both because there's currently a problem with backport-assistant, and because go.mod/go.sum always have conflicts ;))
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.