Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability CVE-2022-28948 (Medium) detected #1920

Closed
Sher-Chowdhury opened this issue Jun 1, 2022 · 3 comments
Closed

Security Vulnerability CVE-2022-28948 (Medium) detected #1920

Sher-Chowdhury opened this issue Jun 1, 2022 · 3 comments

Comments

@Sher-Chowdhury
Copy link

This relates to:

controller-runtime/go.mod

Line 26 in 196828e

sigs.k8s.io/yaml v1.3.0

As per https://www.mend.io/vulnerability-database/CVE-2022-28948, would it be possible to upgrade this yaml package to v3.0.0?

Note that this CVE incorrectly relates to v3 when it should be about v2. See here: go-yaml/yaml#666 (comment)
@dylan-tock
Copy link

@Sher-Chowdhury To make sure this is explicitly clear, the v2 version of go-yaml is NOT affected, only the v3 version (and there is a patch to fix that vulnerability). The way I read your last sentence, it appears to me you're saying the opposite and I wanted to insure nobody else read it that way.

@Sher-Chowdhury
Copy link
Author

Related dependency issue raised here - kubernetes-sigs/yaml#78

Once A new version of sigs.k8s.io/yaml is released that includes this CVE fix, this version needs to then be consumed by this repo.

@alvaroaleman
Copy link
Member

Thanks for reporting, but according to kubernetes-sigs/yaml#78 this doesn't actually affect sigs.k8s.io/yaml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alvaroaleman @Sher-Chowdhury @dylan-tock