Critical vulnerabilities go

Question

Critical vulnerabilities go

Closed this issue 2 years ago · 3 comments

There are a number of critical CVEs in https://s3.us-east-2.amazonaws.com/aws-xray-assets.us-east-2/xray-daemon/aws-xray-daemon-linux-3.x.zip

|golang.org/x/net │ CVE-2021-44716 │ HIGH │ v0.0.0-20210716203947-853a461950ff │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization cache https://avd.aquasec.com/nvd/cve-2021-44716 |

| golang.org/x/text │ CVE-2021-38561 │ │ v0.3.6 │ 0.3.7 │ golang: out-of-bounds read in golang.org/x/text/language leads to DoS https://avd.aquasec.com/nvd/cve-2021-38561 |

Answer 1 · 2022-08-17T11:44:52.000Z

Hello, these issues are effectively impacting our operations. We're relying on the x-ray daemon in our entire platform to gather traces. I'd really appreciate if you could fix these issues very soon.

Answer 2 · 2022-08-23T00:44:28.000Z

Hi folks, we've resolved these issues in the daemon's dependencies and will plan a release shortly. Thanks for your patience on this issue

Answer 3 · 2022-09-22T22:49:56.000Z

These vulnerabilities are patched in v3.3.4 which is now released. Thank you for your patience.