Update golang.org/x/text` and gopkg.in/yaml` version pinning to address CVEs
Closed this issue · 1 comments
mamccorm commented
There are a number of vulnerabilities in the following go libraries:
usr/local/bin/tfswitch (gobinary)
Total: 4 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2021-38561 │ HIGH │ v0.3.5 │ 0.3.7 │ golang: out-of-bounds read in golang.org/x/text/language │
│ │ │ │ │ │ leads to DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-38561 │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2 │ CVE-2019-11254 │ MEDIUM │ v2.2.2 │ 2.2.8 │ kubernetes: Denial of service in API server via crafted YAML │
│ │ │ │ │ │ payloads by... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-11254 │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2 │ GMS-2019-2 │ UNKNOWN │ v2.2.2 │ v2.2.3 │ XML Entity Expansion │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2 │ GO-2021-0061 │ UNKNOWN │ v2.2.2 │ 2.2.3 │ Due to unbounded alias chasing, a maliciously crafted YAML │
│ │ │ │ │ │ file │
│ │ │ │ │ │ can cause the... │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────
Can we update the versioning pinning and look to pull in the latest versions of the above mentioned?
jukie commented
Thanks for bringing this up, I'll get them updated.