Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-24538 #88

Closed
Lucas-C opened this issue May 11, 2023 · 5 comments
Closed

CVE-2023-24538 #88

Lucas-C opened this issue May 11, 2023 · 5 comments
Assignees
@loeffel-io

Comments

@Lucas-C
Copy link

Lucas-C commented May 11, 2023
edited
Loading

Hi!

We use your package in our enterprise,
and our tooling (specifically Jfrog Artifactory XRay)
is reporting a security issue with @ls-lint/ls-lint related to CVE-2023-24538

10:41:26  Security Violations
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | SEVERITY | DIRECT           | DIRECT     | IMPACTED             | IMPACTED   | FIXED     | TYPE | CVE            |
10:41:26  |          | DEPENDENCY       | DEPENDENCY | DEPENDENCY           | DEPENDENCY | VERSIONS  |      |                |
10:41:26  |          |                  | VERSION    | NAME                 | VERSION    |           |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | Critical | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.8]  | Go   | CVE-2023-24538 |
10:41:26  |          |                  |            |                      |            | [1.20.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-28131 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-30630 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.8]  | Go   | CVE-2023-24536 |
10:41:26  |          |                  |            |                      |            | [1.20.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-30631 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-30635 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-30632 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.18.9]  | Go   | CVE-2022-41720 |
10:41:26  |          |                  |            |                      |            | [1.19.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.6]  | Go   | CVE-2022-41725 |
10:41:26  |          |                  |            |                      |            | [1.20.1]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.12] | Go   | CVE-2022-30633 |
10:41:26  |          |                  |            |                      |            | [1.18.4]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.18.7]  | Go   | CVE-2022-41715 |
10:41:26  |          |                  |            |                      |            | [1.19.2]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.13] | Go   | CVE-2022-32189 |
10:41:26  |          |                  |            |                      |            | [1.18.5]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.8]  | Go   | CVE-2023-24537 |
10:41:26  |          |                  |            |                      |            | [1.20.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.11] | Go   | CVE-2022-30580 |
10:41:26  |          |                  |            |                      |            | [1.18.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.18.7]  | Go   | CVE-2022-2879  |
10:41:26  |          |                  |            |                      |            | [1.19.2]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.11] | Go   | CVE-2022-30634 |
10:41:26  |          |                  |            |                      |            | [1.18.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.18.8]  | Go   | CVE-2022-41716 |
10:41:26  |          |                  |            |                      |            | [1.19.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.18.7]  | Go   | CVE-2022-2880  |
10:41:26  |          |                  |            |                      |            | [1.19.2]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.6]  | Go   | CVE-2022-41722 |
10:41:26  |          |                  |            |                      |            | [1.20.1]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.8]  | Go   | CVE-2023-24534 |
10:41:26  |          |                  |            |                      |            | [1.20.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.19.6]  | Go   | CVE-2022-41724 |
10:41:26  |          |                  |            |                      |            | [1.20.1]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26  | High     | @ls-lint/ls-lint | 1.11.2     | github.com/golang/go | 1.18.2     | [1.17.11] | Go   | CVE-2022-29804 |
10:41:26  |          |                  |            |                      |            | [1.18.3]  |      |                |
10:41:26  +----------+------------------+------------+----------------------+------------+-----------+------+----------------+

It appears that you use a static / fixed version of Go 1.18 in https://github.com/loeffel-io/ls-lint/blob/master/go.mod

Would it be possible to upgrade this version and perform a new release of @ls-lint/ls-lint please? 😊
@loeffel-io loeffel-io self-assigned this May 11, 2023
@loeffel-io
Copy link
Owner

Hey @Lucas-C,

i am already working on v2 on the https://github.com/loeffel-io/ls-lint/tree/feature/loeffel-io/v2 branch since our drone ci is not longer working.

The v2 will be based on Bazel and Github Actions: the go version can be configured specifically.

There is no ETA for v2 at the moment.

ref: #36

@Lucas-C
Copy link
Author

Lucas-C commented May 15, 2023

OK, thank you for your feedback @loeffel-io

@loeffel-io
Copy link
Owner

This is fixed by https://github.com/loeffel-io/ls-lint/releases/tag/v2.0.0-beta.0

@loeffel-io
Copy link
Owner

v2.0.0 is out: https://github.com/loeffel-io/ls-lint/releases/tag/v2.0.0

@Lucas-C
Copy link
Author

Lucas-C commented May 23, 2023

Splendid, thank you @loeffel-io 👍

We will test it asap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@loeffel-io loeffel-io

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lucas-C @loeffel-io