Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider bumping net/http to resolve govulncheck #1151

Closed
rootulp opened this issue Dec 11, 2023 · 0 comments · Fixed by #1152
Closed

Consider bumping net/http to resolve govulncheck #1151

rootulp opened this issue Dec 11, 2023 · 0 comments · Fixed by #1152
Assignees
@rootulp

Comments

@rootulp
Copy link
Collaborator

rootulp commented Dec 11, 2023

Context

Govulncheck is failing here https://github.com/celestiaorg/celestia-core/actions/runs/7168555097/job/19520975613#step:5:52

Problem

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.14.0
    Fixed in: golang.org/x/net@v0.17.0

Your code is affected by 2 vulnerabilities from the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
exit status 3
make: *** [Makefile:2[54](https://github.com/celestiaorg/celestia-core/actions/runs/7168555097/job/19520975613#step:5:55): vulncheck] Error 1
Error: Process completed with exit code 2.

Proposal

Consider bumping to golang.org/x/net@v0.17.0 to resolve this vulnerability
@rootulp rootulp mentioned this issue Dec 11, 2023
Merged
3 tasks
@neitdung neitdung mentioned this issue Dec 12, 2023
Merged
3 tasks
rootulp pushed a commit that referenced this issue Dec 13, 2023
@neitdung
chore(deps): upgrade golang.org/x/net to v0.17.0 (#1152)
6462a74 
## Description
Close #1151 

Bumping to golang.org/x/net@v0.17.0 to resolve vulnerability.

---

#### PR checklist

- [ ] Tests written/updated
- [ ] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments
@rootulp rootulp self-assigned this Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rootulp rootulp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): upgrade golang.org/x/net to v0.17.0 decentrio/celestia-core
1 participant
@rootulp