Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CVE-2023-45142 for release 3.13 #3113

Merged
merged 2 commits into from
Oct 26, 2023
Merged

fix: CVE-2023-45142 for release 3.13 #3113

merged 2 commits into from
Oct 26, 2023

Conversation

sozercan
Copy link
Member

@sozercan sozercan commented Oct 25, 2023
edited
Loading

Co-authored-by: sozercan [email protected]
Co-authored-by: Sertac Ozercan [email protected]

What this PR does / why we need it:

This is fixed in 3.14, but still an issue in 3.13. This PR bumps otel version without frameworks

Technically GK is not affected. Unfortunately, it is going to take time to explain everytime, seems easier to bump the dep 😭🤷‍♂️

$ govulncheck -test ./...
Scanning your code and 1356 packages across 141 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2113
    Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib
  More info: https://pkg.go.dev/vuln/GO-2023-2113
  Module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
    Found in: go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
    Fixed in: go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

@sozercan
fix CVE-2023-45142
af46dba 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
GHSA-m425-mq94-257g
c2f0595 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan sozercan marked this pull request as ready for review October 25, 2023 23:04
maxsmythe
maxsmythe approved these changes Oct 26, 2023
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sozercan sozercan merged commit d767834 into open-policy-agent:release-3.13 Oct 26, 2023
@sozercan sozercan deleted the fix-CVE-2023-45142 branch October 26, 2023 00:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sozercan @maxsmythe