Current release uses go 1.21.1 which has a number of CVEs
yucombinator opened this issue · comments
Yu Chen Hou commented
Bug Report
The latest v1.6.1 release has a number of CVEs due to the Go version that was used to build them:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39326
- https://nvd.nist.gov/vuln/detail/CVE-2023-45283
- https://nvd.nist.gov/vuln/detail/CVE-2023-45284
- https://nvd.nist.gov/vuln/detail/CVE-2023-48795
- https://nvd.nist.gov/vuln/detail/CVE-2023-39326
As pushgateway
is built with Go 1.21.1. Can we update to 1.21.5 or above to resolve thes vulnerabilities?
Sylvain Boily commented
we asked the same: #614. still no answer, looks like master is green from a vulnerability point of view, but was never released.
Björn Rabenstein commented
Yeah, sorry for lagging behind with releases. I'll try to cut one tomorrow.