Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Include old golang.org/x/crypto package with CRITICAL CVE-2024-45337 in v1.9.3 #3397

Open
cmontemuino opened this issue Dec 17, 2024 · 2 comments
Open

Include old golang.org/x/crypto package with CRITICAL CVE-2024-45337 in v1.9.3 #3397

cmontemuino opened this issue Dec 17, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@cmontemuino
Copy link

Describe the bug

Summary from Trivy scan:

Vulnerability information: 
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+
|              Type              |           Library           | Severity | Installed Version | Fixed Version |                                  Summary                                   |                More Details                |
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+
|  bin/argo-events (gobinary)    | golang.org/x/crypto (None)  | CRITICAL |      v0.29.0      |     0.31.0    | Applications and libraries which misuse the ServerConfig.PublicKeyCall ... | https://avd.aquasec.com/nvd/cve-2024-45337 |
| usr/local/bin/argo (gobinary)  | golang.org/x/crypto (None)  | CRITICAL |      v0.24.0      |     0.31.0    | Applications and libraries which misuse the ServerConfig.PublicKeyCall ... | https://avd.aquasec.com/nvd/cve-2024-45337 |
+--------------------------------+-----------------------------+----------+-------------------+---------------+----------------------------------------------------------------------------+--------------------------------------------+

To Reproduce

N/A

Expected behavior

No CRITICAL vulnerabilities found,

Screenshots
N/A

Environment (please complete the following information):

  • Argo Events: v1.9.3

Additional context
N/A

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
@cmontemuino cmontemuino added the bug Something isn't working label Dec 17, 2024
@cmontemuino
Copy link
Author

The package has been upgraded in #3390

Would it be possible to release v1.9.4 as a security patch?

@whynowy
Copy link
Member

whynowy commented Jan 10, 2025

Fixed in argo-events binary, but no argo binary available yet.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmontemuino @whynowy