Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Go dependencies to address various CVEs #12777

Merged
merged 3 commits into from
Jan 8, 2024
Merged

Bump Go dependencies to address various CVEs #12777

merged 3 commits into from
Jan 8, 2024
+81 −66

Conversation

nywilken
Copy link
Contributor

@nywilken nywilken commented Jan 8, 2024
edited
Loading

This change makes the following changes to address a number of reported vulnerabilities within the Go tool-chain and
Packer dependencies. There have been no reported exploits within Packer but all vulnerable dependencies are being bumped
to mitigate potential attacks.

~>  govulncheck ./...
Scanning your code and 921 packages across 169 dependent modules for known vulnerabilities...

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

@nywilken
Bump Go version to 1.20.12
1a47597 
Bumped to pull in security fixes to the go command, the net/http package,
and path/filepath package.
@nywilken
Bump golang.org/x/crypto to address CVE-2023-48795
Loading
Loading status checks…
9eb9db2
@nywilken
Bump github.com/go-git/go-git/v5 to address CVE-2023-49568

Verified

This commit was signed with the committer’s verified signature.
philip-peterson Philip Peterson
GPG key ID: 354311183FC6519B
Verified
Learn about vigilant mode
4d953a3
@nywilken nywilken requested a review from a team as a code owner January 8, 2024 16:04
lbajolet-hashicorp
lbajolet-hashicorp approved these changes Jan 8, 2024
View reviewed changes
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@lbajolet-hashicorp lbajolet-hashicorp added the dependencies Auto-pinning label Jan 8, 2024
@lbajolet-hashicorp lbajolet-hashicorp merged commit bfc3f8b into main Jan 8, 2024
@lbajolet-hashicorp lbajolet-hashicorp added the backport/1.10.x Backport PR changes to `release/1.10.x` label Jan 8, 2024
@hc-github-team-packer hc-github-team-packer mentioned this pull request Jan 8, 2024
Merged
@lbajolet-hashicorp lbajolet-hashicorp deleted the nywilken/bump-go-deps branch January 8, 2024 16:19
@finnigja
Copy link
Contributor

Note this github.com/go-git/go-git/v5 bump also addresses CVE-2023-49569.

@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@JenGoldstrich JenGoldstrich

@lbajolet-hashicorp lbajolet-hashicorp

Assignees
No one assigned
Labels
backport/1.10.x Backport PR changes to `release/1.10.x` dependencies Auto-pinning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nywilken @finnigja @JenGoldstrich @lbajolet-hashicorp