-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump golang.org/x/crypto to 7b82a4e #1420
Conversation
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191 golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the latest upstream commit to also include support for SHA-2. I haven't investigated if pack is vulnerable to this CVE but figured it won't hurt to bump to the latest commit. Signed-off-by: Lokesh Mandvekar <[email protected]>
Hi @lsm5, Thank you for bringing this to our attention. It seems like our CI/CD linting processes detected a few deprecated variables being used/imported. Would you be able to update their use as well? |
Also: - Update golang-ci lint configucation Signed-off-by: Javier Romero <[email protected]>
err whoops, totally missed this. Thanks for picking up the slack @jromero . I'll build this for fedora. |
@jromero can we get a new version tag cut with this fix included? That would make fedora building much easier. |
TLDR; it may take up to mid next week due to availability. Hope that's okay. |
works for me, thanks! |
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191
golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.
I haven't investigated if pack is vulnerable to this CVE but figured it
won't hurt to bump to the latest commit.
Signed-off-by: Lokesh Mandvekar [email protected]
(I can update the description per the format below, but I don't have anything specific (yet).)
Summary
Output
Before
After
Documentation
Related
Resolves #___