vulnerability warning CVE-2022-41717 #210
Comments
|
This is fixed in the 7.0.1 release. Since Relay Proxy 6.7.x is still supported, we intend to make a similar 6.7.15 patch, but that is less straightforward (due to 6.7.x supporting older Go versions) so the 6.7.15 release is not ready yet. |
|
The approach we were intending to use for the 6.7.15 patch was not workable. The 6.7.16 release fixes the vulnerability. Unfortunately, it's not possible to fix the vulnerability in Go 1.16. Go 1.16 is already EOL, but we were previously maintaining compatibility with it as long as possible in the Relay Proxy 6.x maintenance branch. So, in order to be able to maintain 6.x free of vulnerabilities, we have had to officially drop Go 1.16 support. That only matters if you are building the Relay Proxy from source code; the Docker image uses Go 1.19. |
LD has opened this issue to let everyone know that we're aware of this vulnerability report, and we will release a patch version of our Docker image to address it as soon as possible.
It's our policy to make any necessary dependency/platform updates for such issues no matter what, but we also look into the details to determine how much of an actual risk these represent, if any, to Relay Proxy installations that are currently running. Here is our analysis:
The text was updated successfully, but these errors were encountered: