Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: CVE-2022-27664 #2081

Merged
merged 1 commit into from
Oct 5, 2022
Merged

[Bug]: CVE-2022-27664 #2081

merged 1 commit into from
Oct 5, 2022

Conversation

albertlockett
Copy link
Contributor

Which problem is this PR solving?

Which problem is this PR solving?
Upgrades the net and sys dependencies to mitigate CVE-2022-27664

Latest version was failing image scans.

Before changes:

$ trivy i quay.io/albert.lockett2/jaeger-operator:1.38.0
....
jaeger-operator (gobinary)
==========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/net | CVE-2022-27664   | HIGH     | v0.0.0-20220722155237-a158d28d115b | 0.0.0-20220906165146-f3363e06e74c | golang: net/http: handle server       |
|                  |                  |          |                                    |                                   | errors after sending GOAWAY           |
|                  |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27664 |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

Short description of the changes

Ran

go get -u golang.org/x/net

Now the vuln is not in the scan:

$ trivy i quay.io/albert.lockett2/jaeger-operator:1.38.0
...

jaeger-operator (gobinary)
==========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@albertlockett
[Bug]: CVE-2022-27664
ce3403b 
Signed-off-by: albertlockett <[email protected]>
@codecov
Copy link

codecov bot commented Oct 4, 2022

Codecov Report

Base: 87.30% // Head: 87.30% // No change to project coverage 👍

Coverage data is based on head (ce3403b) compared to base (b371de2).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2081   +/-   ##
=======================================
  Coverage   87.30%   87.30%           
=======================================
  Files         100      100           
  Lines        6855     6855           
=======================================
  Hits         5985     5985           
  Misses        667      667           
  Partials      203      203

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@frzifus frzifus merged commit b91747e into jaegertracing:main Oct 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frzifus frzifus frzifus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@albertlockett @frzifus