spread
spread copied to clipboard
snapcore
Golang module versions have current CVEs of High level
Hi,
Seems like the follow modules have High level CVEs currently, as output from our trivy image scanning:
┌─────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2021-43565 │ HIGH │ v0.0.0-20210711020723-a769d52b0f97 │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43565 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27191 │ │ │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27191 │
├─────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2021-44716 │ │ v0.0.0-20210716203947-853a461950ff │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization │
│ │ │ │ │ │ cache │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44716 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27664 │ │ │ 0.0.0-202209061[651] │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
I can easily create an MR to bump the versions, but I don't know if it's as simile as that. If it is, I will.
Please advise.
Cheers, Just
