the-littlest-jupyterhub icon indicating copy to clipboard operation
the-littlest-jupyterhub copied to clipboard
verified publisher icon jupyterhub

CVE-2024-45337 - golang.org/x/crypto

Open TidbitSoftware opened this issue 7 months ago • 3 comments

Bug description

Getting "CVE-2024-45337 - golang.org/x/crypto" from Amazon Inspector on a TLJH installation on AWS. Its asks that the crypto package be upgraded to version 0.31.0, but I'm having a hard time finding the go binary in the hub environment. Could you please advise on how to upgrade?

TidbitSoftware avatar May 13 '25 19:05 TidbitSoftware

The only binary compiled from Go that I'm aware of is Traefik. https://github.com/jupyterhub/the-littlest-jupyterhub/blob/main/tljh%2Ftraefik.py#L32 Does switching to the latest version resolve the CVE warning?

manics avatar May 13 '25 21:05 manics

Not sure that I know how to go about doing so. I've upgrade TLJH using the regular install procedure. Over SSH, if I do source /opt/tljh/hub/bin/activate, then once the hub env is active, pip show traefik, I get "WARNING: Package(s) not found: traefik". pip list | grep traefik does show "jupyterhub-traefik-proxy 2.0.0", but I'm not sure that's where the binary is from.

TidbitSoftware avatar May 13 '25 21:05 TidbitSoftware

Traefik can be downloaded by that package, but it is not part of it. You can get a fresh traefik binary with:

python3 -m jupyterhub_traefik_proxy.install --traefik-version 3.4.0

which will download a binary to ./depenencies/traefik. You can then move it to replace the currently installed traefik.

minrk avatar May 14 '25 07:05 minrk