New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all: upgrade immediately to at least Go1.22.7 due to 3 high severity vulnerabilities: CVE-2024-34158, CVE-2024-34155 and CVE-2024-24791 #3033

Open

odeke-em opened this issue Oct 27, 2024 · 1 comment

Assignees

Labels

security

odeke-em commented Oct 27, 2024

This code constraints itself to Go1.22.4 but there are some 3 critical vulnerabilities that were fixed in Go1.22.7

"Stack exhaustion in Parse in go/build/constraint" https://pkg.go.dev/vuln/GO-2024-3107 at gnovm/pkg/gnolang/go2gno.go:77
"Stack exhaustion in all Parse functions in go/parser" https://pkg.go.dev/vuln/GO-2024-3105 at gnovm/pkg/gnolang/go2gno.go:77 gnovm/pkg/gnolang/nodes.go:1137
"Denial of service due to improper 100-continue handling in net/http" https://pkg.go.dev/vuln/GO-2024-2963 at tm2/pkg/p2p/upnp/upnp.go:275 tm2/pkg/p2p/upnp/upnp.go:201

Please upgrade ASAP. Kindly cc-ing @jaekwon

kristovatlas self-assigned this

kristovatlas added the security label

Contributor

kristovatlas commented Oct 29, 2024

Thanks for the report, @odeke-em. We're looking into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment