Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update github.com/hashicorp/serf and github.com/hashicorp/consul/api to fix CVE-2019-19794 #1250

Conversation

francogeller
Copy link
Contributor

@francogeller francogeller commented Aug 25, 2022

This PR update github.com/hashicorp/serf and github.com/hashicorp/consul/api in order to fully deprecate github.com/miekg/dns@v1.0.14 due to CVE-2019-19794 security vuln.
Issue #1249

@francogeller francogeller changed the title Update github.com/hashicorp/serf and github.com/hashicorp/consul/api to fix CVE-2018-17419 Update github.com/hashicorp/serf and github.com/hashicorp/consul/api to fix CVE-2019-19794 Aug 25, 2022
This fully deprecate github.com/miekg/dns@v1.0.14 due to security vuln CVE-2019-19794.
This PR close issue go-kit#1249.
@peterbourgon
Copy link
Member

peterbourgon commented Aug 25, 2022

For the record, version bumps like this aren't necessary in intermediary Go projects like Go kit, because the version is determined by the downstream consumer. I'm happy to merge simple PRs like this one, but there is no security issue here, really.

@francogeller francogeller force-pushed the enhancement/websec-miekg-dns-dependency-update branch from 62dab9e to ede5915 Compare August 25, 2022 18:39
@francogeller
Copy link
Contributor Author

Hello, thank you very much for considering the PR. Particularly in our projects, the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.
Maybe this will help others to comply with their security policies, if they have them. But I agree with you that it is not a security vulnerability, instead we can take it as an improvement with integrations.

@peterbourgon
Copy link
Member

the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.

Any tool which does this is incorrect 🤷

@peterbourgon peterbourgon merged commit a7ba4fa into go-kit:master Aug 26, 2022
@ChrisHines
Copy link
Member

It's also worth noting that changes like this don't propagate to a wide audience until Go kit tags a new release. Someone would have to run go get github.com/go-kit/kit/...@master or something similar. The ...@latest version will continue to get the newest tagged release, as will a basic go get when adding Go kit to a go.mod for the first time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants