Please upgrade Go runtime (>= 1.21.1) to fix security vulnerabilities

Question

Please upgrade Go runtime (>= 1.21.1) to fix security vulnerabilities

jhauglid opened this issue 10 months ago · comments

Jon Olav Hauglid commented 10 months ago

The currently used version of the Go runtime (1.21.0) have several high severity security vulnerabilities that can be detected by scanners such as the Google Artifact Registry scanner.

Here's a list of issues:
https://nvd.nist.gov/vuln/detail/CVE-2023-39318
https://nvd.nist.gov/vuln/detail/CVE-2023-39319
https://nvd.nist.gov/vuln/detail/CVE-2023-39320
https://nvd.nist.gov/vuln/detail/CVE-2023-39321
https://nvd.nist.gov/vuln/detail/CVE-2023-39322

All of these have been fixed in 1.21.1
Please consider upgrading.

Prince Kumar · Answer 1 · Wed Sep 27 2023 16:23:53 GMT+0800 (China Standard Time)

Thanks @jhauglid for raising this! We will take this as part of next release.

Prince Kumar · Answer 2 · Fri Sep 29 2023 13:52:41 GMT+0800 (China Standard Time)

We have upgraded the go-lang version. This will be reflected in the next release (planned on 23rd Oct). Closing this issue.

Nitin Garg · Answer 3 · Fri Oct 06 2023 13:27:20 GMT+0800 (China Standard Time)

We have upgraded the go-lang version. This will be reflected in the next release (planned on 23rd Oct). Closing this issue.

The October release has now been postponed to an early Nov 2023 release instead (planned on Nov 6, 2023) to include some critical improvements.

@jhauglid Please let us know if there is a cause for concern.

Nitin Garg · Answer 4 · Mon Oct 09 2023 15:59:18 GMT+0800 (China Standard Time)

Closing this as its code is already in oct_2023_release branch and this issue is also labeled as 'next_release'.