Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to go 1.21.2+ #422

Open
vinsonxing opened this issue Oct 25, 2023 · 5 comments
Open

Upgrade to go 1.21.2+ #422

vinsonxing opened this issue Oct 25, 2023 · 5 comments

Comments

@vinsonxing
Copy link

vinsonxing commented Oct 25, 2023
edited

Hi,

Do you have plan to upgrade the golang version to 1.21.2+ (currently the grpcurl 1.8.9 is built on top of golang 1.21.1)? In our security scanning, we get a Critical issue in 1.21.1 (CVE-2023-39323)

Thanks
@gfrankliu
Copy link

Our scanner also complained https://nvd.nist.gov/vuln/detail/CVE-2023-44487 due to go 1.21.1

Apart from go, there is also grpc version that needs to be upgraded: GHSA-m425-mq94-257g

@lokeshmavale
Copy link

Same, Critical issue with: GHSA-m425-mq94-257g

@vinsonxing
Copy link
Author

will this be fixed in a new version? what's the timeline?

@dragonsinth
Copy link
Member

There's no threat model for either of these vulns for gRPCurl. So we have no urgency to address them.

@enakshipriya
Copy link

I am not raising another issue because I found this open one. Even in our case we are getting security vuln due the below CVE-ids which require upgrade to golang version 1.21.2+

CVE-2023-39323
CVE-2023-45285
CVE-2023-45283
CVE-2023-39325
CVE-2023-45284
CVE-2023-39326

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vinsonxing @dragonsinth @lokeshmavale @enakshipriya @gfrankliu