Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user-reported security scan finding #10164

Closed
wmorgan opened this issue Jan 19, 2023 · 1 comment · Fixed by #10237
Closed

user-reported security scan finding #10164

wmorgan opened this issue Jan 19, 2023 · 1 comment · Fixed by #10237
Assignees
@adleong
Labels
area/build area/security priority/P1 Planned for Release
Milestone
stable-2.13.0

Comments

@wmorgan
Copy link
Member

wmorgan commented Jan 19, 2023

What is the issue?

A user reported a security scan finding for Linkerd's controller image in 2.12.3:

| PRISMA-2022-0227 | high     | 7.50 | github.com/emicklei/go-restful/v3 | v3.8.0  | fixed in v3.10.0        | > 6 months | < 1 hour   | github.com/emicklei/go-restful/v3 |

This issue has to do with how go-restful handles certain URLs that allows REST authentication to be bypassed.

Since Linkerd does not use REST authentication I believe this does not present a real issue for us. However, for hygiene reasons we may want to upgrade go-restful at some point.

How can it be reproduced?

Run the security scan software.

Logs, error output, etc

See above

output of linkerd check -o short

Unknown

Environment

Unknown

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

None
@wmorgan wmorgan added bug and removed bug labels Jan 19, 2023
@olix0r
Copy link
Member

olix0r commented Jan 19, 2023

No idea why dependabot hasn't flagged this -- and there are no open dependency security alerts on this repo...

FWIW, Linkerd isn't using this library's authentication logic, so this isn't a "real" issue, but we should try to fix it if there aren't major blockers.

@olix0r olix0r added this to the stable-2.13.0 milestone Jan 19, 2023
@adleong adleong self-assigned this Feb 1, 2023
@adleong adleong mentioned this issue Feb 1, 2023
Merged
adleong added a commit that referenced this issue Feb 1, 2023
@adleong
Bump version of go-restful (#10237)
c9a8860 
Fixes #10164 

The version of go-restful that we depend on has been flagged as a security vulnerability.  Even though this vulnerability does not affect Linkerd, we upgrade this dependency to silence security warnings.

Signed-off-by: Alex Leong <alex@buoyant.io>
hawkw pushed a commit that referenced this issue Feb 3, 2023
@adleong @hawkw
Bump version of go-restful (#10237)
f171c3a 
Fixes #10164

The version of go-restful that we depend on has been flagged as a security vulnerability.  Even though this vulnerability does not affect Linkerd, we upgrade this dependency to silence security warnings.

Signed-off-by: Alex Leong <alex@buoyant.io>
hawkw pushed a commit that referenced this issue Feb 6, 2023
@adleong @hawkw
Bump version of go-restful (#10237)
841980a 
Fixes #10164

The version of go-restful that we depend on has been flagged as a security vulnerability.  Even though this vulnerability does not affect Linkerd, we upgrade this dependency to silence security warnings.

Signed-off-by: Alex Leong <alex@buoyant.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@adleong adleong

Labels
area/build area/security priority/P1 Planned for Release
Projects
None yet
Milestone
stable-2.13.0
Development

Successfully merging a pull request may close this issue.

Bump version of go-restful linkerd/linkerd2
3 participants
@wmorgan @olix0r @adleong