Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update go-yaml to v3.0.1 #804

Merged
merged 1 commit into from
Jun 30, 2022
Merged

Update go-yaml to v3.0.1 #804

merged 1 commit into from
Jun 30, 2022

Conversation

darkowlzz
Copy link
Contributor

@darkowlzz darkowlzz commented Jun 29, 2022
edited
Loading

Fix CVE-2022-28948

Trivy scan result:

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v3 │ CVE-2022-28948 │ HIGH     │ v3.0.0            │ v3.0.1        │ golang-gopkg-yaml: crash when attempting to deserialize │
│                  │                │          │                   │               │ invalid input                                           │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28948              │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

Looks like it was initially fixed in v3.0.0, which we updated to in fluxcd/kustomize-controller#665 and the associated PRs in all the repos, but then another fix was added in v3.0.1 go-yaml/yaml@f6f7691 .

@darkowlzz darkowlzz added the area/ci CI related issues and pull requests label Jun 29, 2022
@darkowlzz
Update go-yaml to v3.0.1
f941f5c 
Fix CVE-2022-28948

Signed-off-by: Sunny <darkowlzz@protonmail.com>
pjbgf
pjbgf approved these changes Jun 29, 2022
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pjbgf pjbgf merged commit 0256704 into main Jun 30, 2022
@pjbgf pjbgf deleted the go-yaml-v3.0.1 branch June 30, 2022 09:21
This was referenced Jun 30, 2022
Merged
Merged
Merged
Merged
Merged
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@pjbgf pjbgf pjbgf approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@darkowlzz @pjbgf