Affected by CVE-2023-39323 and CVE-2023-39320?

Question

Affected by CVE-2023-39323 and CVE-2023-39320?

brasstax opened this issue 9 months ago · comments

brasstax commented 9 months ago

Hi gcsfuse maintainers,

it looks like this is running go v1.21.0. There are two critical CVEs against this, fixed in v1.21.2:

CVE-2023-39323
CVE-2023-39320

Do you know if gcsfuse is affected by this, and is it possible to bump the go version to v1.21.2?

Thank you,
brasstax

Ashmeen Kaur · Answer 1 · Tue Oct 17 2023 13:00:23 GMT+0800 (China Standard Time)

Hi @brasstax,
Thank you for bringing this to our notice.
We recently upgraded to go version 1.21.2 (Ref PR: #1431). The upgrade is expected to be reflected in our next release, which is scheduled for early November.

brasstax · Answer 2 · Wed Oct 18 2023 00:20:22 GMT+0800 (China Standard Time)

Hi @ashmeenkaur,

Thanks for addressing this. Would it be okay to leave this ticket open until the next release?

Thank you,
brasstax

Ashmeen Kaur · Answer 3 · Wed Oct 18 2023 13:51:28 GMT+0800 (China Standard Time)

Hi @brasstax,

Thank you for your feedback. We would be happy to keep this ticket open until the next release. Once the change is released, we will update you here.

Thanks,
Ashmeen

Ayush Sethi · Answer 4 · Thu Nov 09 2023 21:33:14 GMT+0800 (China Standard Time)

GCSFuse v1.2.1 is released with Golang v1.21.3.