kured icon indicating copy to clipboard operation
kured copied to clipboard
verified publisher icon kubereboot

Vulnerability Name:Go (Go) Security Update for golang.org/x/net (GHSA-qxp5-gwg8-xv66)

Open Abhishek199910 opened this issue 8 months ago • 1 comments

Hi everyone,

Are there any plans to address below vulnerability, our scanner detected a few vulnerabilities that have been addressed in the latest Go (Go) Security Update for golang.org/x/net (GHSA-qxp5-gwg8-xv66).

"VulnId": 5003070, "VulnerabilityName": Go (Go) Security Update for golang.org/x/net (GHSA-qxp5-gwg8-xv66)

Digest: sha256:7fd996b92547d67b6df6e59bcf7255cddf92eca91e3f9cf102f8ca76f13445e1

Best regards

Abhishek199910 avatar Apr 14 '25 03:04 Abhishek199910

Hi @Abhishek199910, upstream Kubernetes is still at v0.33.0 of golang.org/x/net, kured keeps its downstream dependencies aligned with Kubernetes to ensure compatibility across a set of well-tested versions.

We'll be able to update to v0.36.0 or greater once Kubernetes ships a release w/ that version in its own dependency graph.

jackfrancis avatar Apr 14 '25 19:04 jackfrancis

@jackfrancis Any updates?

Abhishek199910 avatar May 08 '25 05:05 Abhishek199910

@Abhishek199910 Nothing prevents you from submitting a PR. We'll review like all the PRs.

Other than that, @jackfrancis is right. We try to avoid overrides of downstream deps.

evrardjp avatar May 30 '25 07:05 evrardjp

there is automated PR: https://github.com/kubereboot/kured/pull/1117

Abhishek199910 avatar Jun 16 '25 04:06 Abhishek199910

We will most likely refuse this. If you are running an old version of kube you'll be vulnerable anyway.

If you want us to change our policy, please be explicit. Otherwise, you have two choices:

  • build your own kured on your environment with a bump (might as well bump the golang version and the kubernetes lib), and take the risk of the change on your environment based on the Kubernetes version you run.
  • wait for the next release bump and ignore the dependency issue by considering the risk as acceptable (as many have done here).

evrardjp avatar Jun 16 '25 05:06 evrardjp

@evrardjp When you are planning next release? is there any ETA?

Best regards

Abhishek199910 avatar Jul 08 '25 06:07 Abhishek199910

@evrardjp @jackfrancis do we have any documentation to build our own kured image with the bump ? any help would be greatly appreciated.

AnudeepAtyam avatar Jul 10 '25 08:07 AnudeepAtyam

This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).

github-actions[bot] avatar Sep 13 '25 02:09 github-actions[bot]

Oh yeah there was two releases since that issue.

evrardjp avatar Sep 14 '25 08:09 evrardjp