-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(SEC): Fixing CVE-2021-31525 #8274
Conversation
Sanjay Kshetramade seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will probably fix other CVEs as well.
@@ -62,10 +62,10 @@ require ( | |||
go.opencensus.io v0.22.5 | |||
go.uber.org/zap v1.16.0 | |||
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a | |||
golang.org/x/net v0.0.0-20201021035429-f5854403a974 | |||
golang.org/x/net v0.0.0-20210428140749-89ef3d95e781 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@skrdgraph I changed this to address CVE-2021-31525. However go mod tidy
made additional changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes this is true, the current sec-CVE count is at 70 (before merging this PR). The other fixes that came in through go mod tidy
will be addressing other CVEs for sure. We can look at the CVE count after this merge. We are expecting the number to drop to 69, but if it goes further below - it simply means we have fixed more CVEs with this single PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👍 .
Please sign the CLA
@meghalims I have signed the CLA, but it takes a day to reflect per @skrdgraph . |
Ahh yes. Thanks Sanjay |
Co-authored-by: Sanjay Kshetramade <[email protected]>
Problem
CVE-2021-31525
Solution
Fixing CVE-2021-31525 by bumping version