Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities #2789

Closed
kothabindu opened this issue Dec 10, 2021 · 6 comments
Closed

Security Vulnerabilities #2789

kothabindu opened this issue Dec 10, 2021 · 6 comments

Comments

@kothabindu
Copy link

No description provided.

@amccague
Copy link

Can I second this. v0.23.0 has the following active critical severity vulnerability:

CVE-2021-38297
Go
1.16.7
fixed in 1.17.2, 1.16.9

@amccague
Copy link

amccague commented Jan 7, 2022

@roidelapluie could I encourage a release, there hasn't been one in a while. (I'm not sure if you're the right person to ask mind so I apologise for the direct tag if not)
This critical CVE should have been resolved through #2792

@amccague
Copy link

amccague commented Jan 7, 2022

Or @SuperQ

@hoffie
Copy link
Contributor

hoffie commented Jan 7, 2022

Can I second this. v0.23.0 has the following active critical severity vulnerability:

CVE-2021-38297 Go 1.16.7 fixed in 1.17.2, 1.16.9

According to NVD, this vulnerability only affects code which is being compiled for WASM/JS. Are you compiling and using Alertmanager (i.e. the Go code, not the web UI) in such a way? I think this would be a very niche use case for alertmanager.

Not saying that I'd vote against a fresh release with updated components, just wanted to chime in to clarify that the referenced CVE does not sound critical (or even relevant) to standard Alertmanager use cases.

@amccague
Copy link

amccague commented Jan 7, 2022
edited

Can I second this. v0.23.0 has the following active critical severity vulnerability:
CVE-2021-38297 Go 1.16.7 fixed in 1.17.2, 1.16.9

According to NVD, this vulnerability only affects code which is being compiled for WASM/JS. Are you compiling and using Alertmanager (i.e. the Go code, not the web UI) in such a way? I think this would be a very niche use case for alertmanager.

Not saying that I'd vote against a fresh release with updated components, just wanted to chime in to clarify that the referenced CVE does not sound critical (or even relevant) to standard Alertmanager use cases.

Whilst I absolutely agree this is the case and unlikely exploitable in this case - it does not scale well for organisations to inspect every vulnerability that arises if they can be exploited in their particular settings. Normally when there is a fix published many, in particular regulated industries, will expect it to be resolved to reduce noise and overheads.

@simonpasquier
Copy link
Member

closed by #3187

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@amccague @hoffie @simonpasquier @kothabindu