Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: mitigate CVE-2022-27664 #365

Merged
merged 5 commits into from
Dec 14, 2022
Merged

fix: mitigate CVE-2022-27664 #365

merged 5 commits into from
Dec 14, 2022

Conversation

rikez
Copy link
Contributor

@rikez rikez commented Dec 13, 2022

Resolves #363

Go 1.19.x defaults to 1.19.4 which includes the patch to fix the vulnerability.

@rikez rikez requested a review from a team as a code owner December 13, 2022 19:39
@rikez rikez requested review from knksmith57, alecjacobs5401 and asaf-erlich and removed request for a team December 13, 2022 19:39
Copy link
Contributor

@mckern mckern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this need to be updated in release.yml too?

Copy link
Contributor

@mckern mckern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will Do The Thing. You'll need to push a tag when it's merged, and I believe the release notes for the new release will be generated for all commits between 0fda232 and HEAD so maybe cut it as v2.11.0? I assume the commits in this PR will be squash merged, so that might be a good space to condense notes down into something that looks like release notes.

@rikez rikez merged commit f64f40e into master Dec 14, 2022
@rikez rikez deleted the ealvarenga/cve-2022-27664 branch December 14, 2022 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1
3 participants