getmesh icon indicating copy to clipboard operation
getmesh copied to clipboard
verified publisher icon tetratelabs

Bump kiali dependency to the latest possible version

Open azuterios opened this issue 2 years ago • 3 comments

Dear Tetratelabs Team,

Please up the kiali version in the go code. There is an existing dependency for version 1.43+, but it's being replaced with an older package here: https://github.com/tetratelabs/getmesh/blob/6089ff183d8b81ac55c89502606347609d444b9b/go.mod#L101

Currently, getmesh version 1.1.5 vulnerability scan comes up with a CVE vulnerability, which is older than 1 year - CVE-2021-20278 https://nvd.nist.gov/vuln/detail/CVE-2021-20278

Please remove the replacement or replace it with a newer version and release it. Thank you!

azuterios

azuterios avatar May 26 '23 07:05 azuterios

One other vulnerability "CVE-2021-3495" is reported by vulnerability scanner. Reason : github.com/kiali/kiali version : v1.29.1-0.20210125202741-72d2ce2fceb5 Fix is available in version : 1.33.0

Kindly update the "github.com/kiali/kiali" version to 1.33.0 to fix this vulnerability

Bjyothi2023 avatar Aug 22 '23 12:08 Bjyothi2023

Hello Team, Could you please help resolving this issue. It is impacting the projects that are using this tool , as the Vulnerability scanner are reporting these issues and it is blocking us from proceeding further.

Bjyothi2023 avatar Nov 16 '23 13:11 Bjyothi2023

Dear Tetratelabs Team,

This issue has been stale for some time now, could you be able to provide us with an estimate, when the change might happen and if it's possible to happen at all?

Thank you for the support on this!

azuterios

azuterios avatar Jan 02 '24 08:01 azuterios