Go Binaries shipped with critical CVE-2023-39323

Question

Go Binaries shipped with critical CVE-2023-39323

Closed this issue a year ago · 3 comments

Summary

Go binaries are shipped with critical CVE-2023-39323.

Can we upgrade the Go versions to go 1.21.3 or 1.20.10?

Answer 1 · 2023-10-17T17:16:44.000Z

@kennethye1 thanks for opening this issue. This will be fixed in 0.18.0 - we are readying the release candidate 0.18.0-rc.1 as we speak. We usually let the release candidate bake for a day or two before we cut the "real" one. It's worth noting that CVE-2023-39323 is non-exploitable as we don't use cgo.

Answer 2 · 2023-10-18T13:36:51.000Z

Actually, I think we could patch this in a 0.17.2 - as 0.18.0 will remove support for deprecated buildpack and platform APIs, there may be some users who need extra time to upgrade, so another 0.17.x would help in the meantime. This could probably go out today...

Answer 3 · 2023-10-18T17:47:38.000Z

Closed in https://github.com/buildpacks/lifecycle/releases/tag/v0.17.2