Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-45338 found #167

Closed
ywk253100 opened this issue Jan 15, 2025 · 1 comment · Fixed by #168
Closed

CVE-2024-45338 found #167

ywk253100 opened this issue Jan 15, 2025 · 1 comment · Fixed by #168

Comments

@ywk253100
Copy link

The package golang.org/x/net (version v0.24.0) in the latest release contains CVE CVE-2024-45338: https://pkg.go.dev/vuln/GO-2024-3333, it should be bumped up to v0.33.0.

The package was bumped up to v0.33.0by #164, but because of the replace instruction replace golang.org/x/net => golang.org/x/net v0.24.0 in the go.mod it doesn't work.

BTW, curious are the replace instructions in the go.mod necessary?
@jsturtevant jsturtevant mentioned this issue Jan 17, 2025
Merged
@jsturtevant
Copy link
Contributor

BTW, curious are the replace instructions in the go.mod necessary?

Yes, since some of the downstream deps (we don't have many) point to an older version. So when running go mod tidy you will end up with older versions in that file which triggers some systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update deps in the replaces as well jsturtevant/windows-gmsa
2 participants
@jsturtevant @ywk253100