Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot alert github.com/containerd/containerd v1.3.0 #1006

Closed
kuritka opened this issue Oct 5, 2021 · 2 comments · Fixed by #1009
Closed

Dependabot alert github.com/containerd/containerd v1.3.0 #1006

kuritka opened this issue Oct 5, 2021 · 2 comments · Fixed by #1009

Comments

@kuritka
Copy link

kuritka commented Oct 5, 2021
edited
Loading

Hi, dependabot started complaining about the old version of containerd. The problem is that terratest hasn't updated the go-containerregistry package (https://github.com/gruntwork-io/terratest/blob/master/go.mod#L21) in go.mod for a long time.

github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3

Please upgrade the version, it is currently v0.6.0.

The dependabot alert description: GHSA-c2h3-6mxw-7mvq

WDYT and Thanks
@kuritka kuritka mentioned this issue Oct 5, 2021
Merged
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 5, 2021
@kuritka
dependabot github.com/containerd/containerd voulnerability
cc1658b 
Dependabot on k8gb reports an error : GHSA-c2h3-6mxw-7mvq
We do not use containerd in our terratests, this patch should fix the dependabot until the terratest is fixed;

 see terratest issue: gruntwork-io/terratest#1006

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 5, 2021
@kuritka
dependabot github.com/containerd/containerd voulnerability (#639)
3acc4b3 
Dependabot on k8gb reports an error : GHSA-c2h3-6mxw-7mvq
We do not use containerd in our terratests, this patch should fix the dependabot until the terratest is fixed;

 see terratest issue: gruntwork-io/terratest#1006

Signed-off-by: kuritka <[email protected]>
@yorinasub17
Copy link
Contributor

This is being addressed in #1009

@yorinasub17 yorinasub17 linked a pull request Oct 6, 2021 that will close this issue
Bump azure-sdk-go and various related packages #1009
Merged
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
resolve CVE-2020-27813, investigate CVE-2020-26160
b9472a6 
follow-up #639, gruntwork-io/terratest#1006

During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go).

`github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths:
```
github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected]
```
The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it.

(this path is on v0.32.17 but not much different from v0.37.12)
```
github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected]
```
The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it.

`github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`.
If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this:
```
github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
```
But >= v1.4.1 are patched.

These rules will fix it
```
replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0`
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
```

`github.com/gorilla/websocket` is resolved with the two steps mentioned above

The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met.
```go
replace (
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16

	// CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq)
	// CVE-2020-27813 (GHSA-3xh2-74w9-5vxm)
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
	github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0
)
```

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
resolve CVE-2020-27813, investigate CVE-2020-26160
508b4fe 
follow-up #639, gruntwork-io/terratest#1006

During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go).

`github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths:
```
github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected]
```
The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it.

(this path is on v0.32.17 but not much different from v0.37.12)
```
github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected]
```
The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it.

`github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`.
If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this:
```
github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
```
But >= v1.4.1 are patched.

These rules will fix it
```
replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0`
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
```

`github.com/gorilla/websocket` is resolved with the two steps mentioned above

The problem is we replace packages on the go.sum level but no in go.mod. That's why jwt-go is still downloaded. We must exclude it.
The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met.
```go
replace (
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16

	// CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq)
	// CVE-2020-27813 (GHSA-3xh2-74w9-5vxm)
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
	github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0
)

exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible
```

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
resolve CVE-2020-27813, investigate CVE-2020-26160
b6356d1 
follow-up #639, gruntwork-io/terratest#1006

During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go).

`github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths:
```
github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected]
```
The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it.

(this path is on v0.32.17 but not much different from v0.37.12)
```
github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected]
```
The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it.

`github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`.
If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this:
```
github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
```
But >= v1.4.1 are patched.

These rules will fix it
```
replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0`
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
```

`github.com/gorilla/websocket` is resolved with the two steps mentioned above

The problem is we replace packages on the go.sum level but no in go.mod. That's why jwt-go is still downloaded. We must exclude it.
The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met.
```go
replace (
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16

	// CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq)
	// CVE-2020-27813 (GHSA-3xh2-74w9-5vxm)
	// CVE-2020-26160 (GHSA-w73w-5m7g-f7qc)
	github.com/containerd/containerd => github.com/containerd/containerd v1.5.2
	github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0
)

exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible
```

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
fix CVE-2021-41103, CVE-2020-27813, CVE-2020-26160
833e8c4 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
fix CVE-2021-41103, CVE-2020-27813, CVE-2020-26160
c02d77f 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
fix CVE-2021-41103, CVE-2020-27813, CVE-2020-26160
d5e6373 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
fix CVE-2021-41103, CVE-2020-27813, CVE-2020-26160
2310503 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed-off-by: kuritka <[email protected]>
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
Fix terratest CVE-2021-41103, CVE-2020-27813, CVE-2020-26160
acbec30 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed-off-by: kuritka <[email protected]>
@kuritka kuritka mentioned this issue Oct 6, 2021
Merged
kuritka added a commit to k8gb-io/k8gb that referenced this issue Oct 6, 2021
@kuritka
Fix terratest CVE-2021-41103, CVE-2020-27813, CVE-2020-26160 (#646)
b1ab8fe 
follow-up #639, gruntwork-io/terratest#1006

CVE-2021-41103  github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched
CVE-2020-27813  github.com/gorilla/websocket >= 1.4.1 is patched
CVE-2020-26160  github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages.
In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files).
The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side

Signed-off-by: kuritka <[email protected]>
@kuritka
Copy link
Author

kuritka commented Oct 6, 2021
edited
Loading

@yorinasub17 I'm not sure it is so easy, because jwt-go is spread everywhere.

Github threw me three warnings:

CVE-2021-41103 github.com/containerd/containerd, only versions 1.4.11, 1.5.7 are fixed.
CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is fixed.
CVE-2020-26160 github.com/dgrijalva/jwt-go, No patch is available and jwt-go users are advised to upgrade to golang-jwt version 3.2.1.

Patched containerd v1.5.7 uses jwt-go somewhere inside, likewise go-containerregistry uses the medieval go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489, which is again referencing jwt-go.

I think Azure is just first peace of the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump azure-sdk-go and various related packages gruntwork-io/terratest
2 participants
@yorinasub17 @kuritka