Skip to content

cves: bump go to 1.24.2, x/net, x/crypto #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 28, 2025
Merged

cves: bump go to 1.24.2, x/net, x/crypto #5

merged 1 commit into from
Apr 28, 2025

Conversation

M4tteoP
Copy link
Member

@M4tteoP M4tteoP commented Apr 24, 2025

Fixes:

Severity CVE Package Fix
MEDIUM CVE-2024-45336 stdlib v1.22.8 → 1.22.11, 1.23.5, 1.24.0-rc.2
MEDIUM CVE-2025-22871 stdlib v1.22.8 → 1.23.8, 1.24.2
MEDIUM CVE-2025-22872 golang.org/x/net v0.33.0 → 0.38.0
MEDIUM CVE-2024-45341 stdlib v1.22.8 → 1.22.11, 1.23.5, 1.24.0-rc.2
MEDIUM CVE-2025-22866 stdlib v1.22.8 → 1.22.12, 1.23.6, 1.24.0-rc.3
MEDIUM CVE-2025-22870 golang.org/x/net v0.33.0 → 0.36.0

Before:

▶ grype xyz/ci-images/kube-rbac-proxy:v0.15.0-tetrate-v5
 ✔ Scanned for vulnerabilities     [8 vulnerability matches]
   ├── by severity: 1 critical, 1 high, 6 medium, 0 low, 0 negligible
   └── by status:   7 fixed, 1 not-fixed, 0 ignored
NAME                        INSTALLED  FIXED-IN                      TYPE       VULNERABILITY        SEVERITY
golang.org/x/crypto         v0.31.0    0.35.0                        go-module  GHSA-hcg3-q754-cr77  High
golang.org/x/net            v0.33.0    0.36.0                        go-module  GHSA-qxp5-gwg8-xv66  Medium
golang.org/x/net            v0.33.0    0.38.0                        go-module  GHSA-vvgc-356p-c3xw  Medium
gopkg.in/square/go-jose.v2  v2.6.0                                   go-module  GHSA-c5q2-7r4c-mv6g  Medium
stdlib                      go1.22.8   1.23.8, 1.24.2                go-module  CVE-2025-22871       Critical
stdlib                      go1.22.8   1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45336       Medium
stdlib                      go1.22.8   1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45341       Medium
stdlib                      go1.22.8   1.22.12, 1.23.6, 1.24.0-rc.3  go-module  CVE-2025-22866       Medium

After:

▶ grype tetrate/kube-rbac-proxy:v0.15.0-6d7e868a-arm64
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME                        INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
gopkg.in/square/go-jose.v2  v2.6.0               go-module  GHSA-c5q2-7r4c-mv6g  Medium

@M4tteoP M4tteoP merged commit ec92366 into release-v0.15.0 Apr 28, 2025
12 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergicastro sergicastro sergicastro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@M4tteoP @sergicastro