CVE-2024-24791 in sops binary v3.9.0 #1572

oschni · 2024-08-02T06:57:18Z

Our scanning jobs have identified a new CVE "CVE-2024-24791" in the sops binary v3.9.0. This is an issue with the Go standard library net/http.

Is it possible to rebuilt sops binaries once the vulnerability has been fixed?

duthils · 2024-09-14T13:52:47Z

This CVE is fixed in go 1.22.5, see the release announcement.

The go toolchain was updated to 1.22.5 in #1589

felixfontein · 2024-09-14T14:52:05Z

I know almost nothing about how goreleaser works, but the release workflow still runs with Go 1.21.x. I created #1615 to change that. (PR to update Go version in CI: #1531.)

duthils · 2024-09-14T15:17:06Z

Oh, right... For the record, the CVE issue is also fixed in 1.21.12, see the release announcement.

reneleonhardt · 2024-09-17T11:16:06Z

FYI the latest security fixes have not been backported anymore, so 1.21.13 shoudn't be used anymore:
https://go.dev/doc/devel/release#go1.22.7

oschni changed the title ~~CVE-2024-24791 in sops Binary v3.9.0~~ CVE-2024-24791 in sops binary v3.9.0 Aug 2, 2024

felixfontein mentioned this issue Sep 14, 2024

Build release with Go 1.22.x #1615

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-24791 in sops binary v3.9.0 #1572

CVE-2024-24791 in sops binary v3.9.0 #1572

oschni commented Aug 2, 2024

duthils commented Sep 14, 2024

felixfontein commented Sep 14, 2024

duthils commented Sep 14, 2024

reneleonhardt commented Sep 17, 2024

CVE-2024-24791 in sops binary v3.9.0 #1572

CVE-2024-24791 in sops binary v3.9.0 #1572

Comments

oschni commented Aug 2, 2024

duthils commented Sep 14, 2024

felixfontein commented Sep 14, 2024

duthils commented Sep 14, 2024

reneleonhardt commented Sep 17, 2024