Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security vulnerability CVE-2022-41717 exposed by Go gRPC dependency #1253

Closed
DonSealy opened this issue Dec 8, 2022 · 1 comment
Closed

Comments

@DonSealy
Copy link

DonSealy commented Dec 8, 2022

What would you like?

It appears that kit/transport/grpc is vulnerable to the attack outlined in CVE-2022-41717 due to the package dependency on the Go gRPC implementation. Can go-kit be updated to leverage fixes for this vulnerability? It is fixed in Go minor releases 1.18.9 and 1.19.4.

@peterbourgon
Copy link
Member

Go kit expresses a dependency on the module google.golang.org/grpc at version v1.40.0. The latest version of that module is currently v1.51.0. These two versions share a major version number, and so Go modules treats them as compatible during version resolution, and applications that (correctly) assert that later version will receive it.

Happy to review and approve a PR that bumps the grpc module version as suggested, assuming tests pass and etc. But that's a nice-to-have, if it doesn't happen it's not any kind of vulnerability. See e.g. #1250.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants