Upgrade to go 1.21.2+

Question

Upgrade to go 1.21.2+

vinsonxing opened this issue 8 months ago · comments

Hi,

Do you have plan to upgrade the golang version to 1.21.2+ (currently the grpcurl 1.8.9 is built on top of golang 1.21.1)? In our security scanning, we get a Critical issue in 1.21.1 (CVE-2023-39323)

Thanks

gfrankliu · Answer 1 · Tue Oct 31 2023 04:29:20 GMT+0800 (China Standard Time)

Our scanner also complained https://nvd.nist.gov/vuln/detail/CVE-2023-44487 due to go 1.21.1

Apart from go, there is also grpc version that needs to be upgraded: GHSA-m425-mq94-257g

lokeshmavale · Answer 2 · Sat Nov 04 2023 01:51:40 GMT+0800 (China Standard Time)

Same, Critical issue with: GHSA-m425-mq94-257g

Vinson · Answer 3 · Fri Nov 17 2023 10:54:10 GMT+0800 (China Standard Time)

will this be fixed in a new version? what's the timeline?

Scott Blum · Answer 4 · Fri Nov 17 2023 22:32:46 GMT+0800 (China Standard Time)

There's no threat model for either of these vulns for gRPCurl. So we have no urgency to address them.

enakshipriya · Answer 5 · Wed Feb 07 2024 16:41:00 GMT+0800 (China Standard Time)

I am not raising another issue because I found this open one. Even in our case we are getting security vuln due the below CVE-ids which require upgrade to golang version 1.21.2+

CVE-2023-39323
CVE-2023-45285
CVE-2023-45283
CVE-2023-39325
CVE-2023-45284
CVE-2023-39326