Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability with Go version with envsubst #49

Closed
ryanh-orca opened this issue Feb 13, 2023 · 1 comment · Fixed by #57
Closed

Vulnerability with Go version with envsubst #49

ryanh-orca opened this issue Feb 13, 2023 · 1 comment · Fixed by #57

Comments

@ryanh-orca
Copy link

With this CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-27664, Go has vulnerability for any version before 1.18.6 or 1.19.1.

With latest release of envsubtr, it's using Go version 1.17: https://github.com/a8m/envsubst/blob/v1.4.2/go.mod#L3

Is there a plan to upgrade Go version to patch this CVE?
@a8m
Copy link
Owner

a8m commented Feb 13, 2023

Binaries are built with the latest Go version by default, but you can feel free to send a patch to fix the go.mod file. Thanks 🙏🏻

@polarathene polarathene mentioned this issue Aug 29, 2023
Merged
@a8m a8m closed this as completed in #57 Aug 29, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Raise go.mod version above 1.19 polarathene/envsubst
2 participants
@a8m @ryanh-orca