-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade indirect dependancy go-libp2p-core to v0.20.1 #1626
Upgrade indirect dependancy go-libp2p-core to v0.20.1 #1626
Conversation
d440049
to
f0d8d90
Compare
go.mod
Outdated
require ( | ||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221007124625-37f5449ff7df // indirect | ||
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20220912195655-e1f97a00006b // indirect | ||
github.com/Microsoft/hcsshim v0.10.0-rc.1 // indirect | ||
github.com/btcsuite/btcd v0.21.0-beta // indirect | ||
// ↑The `github.com/btcsuite/btcd` line exists for the indirect dependency on `github.com/btcsuite/btcd/btcec` (secp256k1 elliptic curve cryptography library) via `github.com/ipfs/go-ipfs-http-client`. | ||
// https://github.com/btcsuite/btcd/tree/master/btcec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This note can be now dropped
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda Updated PR to address review comment. Thanks!
go.mod
Outdated
@@ -58,11 +58,16 @@ require ( | |||
gotest.tools/v3 v3.4.0 | |||
) | |||
|
|||
require ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to create another require()
Could you squash the commits? Then LGTM |
f405a3e
to
0bfc67f
Compare
Thanks, but please sign the commit for DCO (run |
Signed-off-by: Balasaheb Salunke <bg.salunke09@gmail.com>
0bfc67f
to
e2dbab5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
@AkihiroSuda Thank you for help. I see it's marked for v1.1.0. Any rough timeline for v1.1.0 release? |
As soon as containerd/accelerated-container-image#155 (comment) is addressed |
Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1 to remove indirect dependacy of btcd module which is vulnerable to CVE-2022-44797
What is it fixing
Nerdctl has an indirect dependency module ("github.com/btcsuite/btcd v0.21.0-beta) having vulnerability reported https://nvd.nist.gov/vuln/detail/CVE-2022-44797.
As explained by @AkihiroSuda, it's false positive and nerdctl does not trigger the code path in any way to invoke "btcd" module. The fix provided was VEX set to eliminate #1571
However APIK some of the open source scanner does not support VEX as of today. e.g. aquasecurity/trivy#1836.
Fix
Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1
Please let me know if more information needs to be added.