Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/sys/unix to at least v0.0.0-20220412211240-33da011f77ad for vulnerability fix #3234

Closed
marcofeltmann opened this issue Sep 25, 2022 · 1 comment · Fixed by #3235
Closed

Upgrade golang.org/x/sys/unix to at least v0.0.0-20220412211240-33da011f77ad for vulnerability fix #3234

marcofeltmann opened this issue Sep 25, 2022 · 1 comment · Fixed by #3235
Labels
bug Something isn't working
Milestone
Release v1.11.0

Comments

@marcofeltmann
Copy link

Description

According to the new Go vulnerability check there is a security issue in golang.org/x/sys/unix package before v0.0.0-20220412211240-33da011f77ad, which is currently used by go.opentelemetry.io/otel/sdk v1.10.0 (resource subpackage)

Environment

  • OS: Linux gopherbook 5.19.0-1-amd64 # 1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux
  • Architecture x86_64
  • go version go1.19.1 linux/amd64
  • opentelemetry-go version: v1.10.0 (updated minutes ago)

Steps To Reproduce

  1. go install golang.org/x/vuln/cmd/govulncheck@latest
  2. govulncheck package/using/otel/sdk

Expected behavior

I don't want to see any vulnerability issued packages used here.

Reality

govulncheck ./...

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function
  can incorrectly report that a file is accessible.

  Found in: golang.org/x/sys/unix@v0.0.0-20220111092808-5a964db01320
  Fixed in: golang.org/x/sys/unix@v0.0.0-20220412211240-33da011f77ad
  More info: https://pkg.go.dev/vuln/GO-2022-0493

go mod why golang.org/x/sys/unix

# golang.org/x/sys/unix
github.com/company/package
go.opentelemetry.io/otel/sdk/resource
golang.org/x/sys/unix
@marcofeltmann marcofeltmann added the bug Something isn't working label Sep 25, 2022
MrAlias added a commit to MrAlias/opentelemetry-go that referenced this issue Sep 26, 2022
@MrAlias
Bump golang.org/x/sys/unix
f3bb067 
Fix open-telemetry#3234

Address GO-2022-0493 by upgrading golang.org/x/sys/unix from
v0.0.0-20210423185535-09eb48e85fd7 to
v0.0.0-20220919091848-fb04ddd9f9c8.
@MrAlias MrAlias mentioned this issue Sep 26, 2022
Merged
@MrAlias
Copy link
Contributor

MrAlias commented Sep 26, 2022

https://pkg.go.dev/vuln/GO-2022-0493

@MrAlias MrAlias added this to the Release v1.11.0 milestone Sep 26, 2022
MrAlias added a commit that referenced this issue Sep 27, 2022
@MrAlias
Bump golang.org/x/sys/unix (#3235)
12e16d4 
* Bump golang.org/x/sys/unix

Fix #3234

Address GO-2022-0493 by upgrading golang.org/x/sys/unix from
v0.0.0-20210423185535-09eb48e85fd7 to
v0.0.0-20220919091848-fb04ddd9f9c8.

* Add changes to changelog
@pellared pellared moved this to Closed in Go: Triage Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Go: Triage
Archived in project
Milestone
Release v1.11.0
Development

Successfully merging a pull request may close this issue.

Bump golang.org/x/sys/unix MrAlias/opentelemetry-go
2 participants
@MrAlias @marcofeltmann