Re-Release to address CVE-2024-24788?

Question

Re-Release to address CVE-2024-24788?

ckcr4lyf opened this issue 3 months ago · comments

Golang 1.22.2 has a vulnerability in the form of CVE-2024-24788 , which has been fixed in 1.22.3

Since the latest version was built on 1.22.2, it is setting of Trivy (especially since Trivy update to scan stdlib - i.e. the version of Golang a binary was compiled with).

I am not sure how to address this in the form of a PR, since no change is needed except to rebuild the artifacts (releases) with Golang 1.22.3 .

Since go.mod uses go 1.22 , I don't know if you'd be open to additionally specifying the patch version (i.e. go 1.22.3).

Thanks for your time.

Hussein Jafferjee · Answer 1 · Tue Jun 11 2024 02:07:52 GMT+0800 (China Standard Time)

Running into this same issue.

Kumar Limbu · Answer 2 · Wed Jun 19 2024 09:44:15 GMT+0800 (China Standard Time)

One more issue with the Golang 1.22.2 CVE-2024-24790, which has been fixed in 1.22.4.

Marcin Antas · Answer 3 · Wed Jun 19 2024 15:38:17 GMT+0800 (China Standard Time)

Yeah, also running into this, would be great to release new version.