Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New release for CVE-2024-24790 #434

Closed
giovannirco opened this issue Jul 1, 2024 · 4 comments · Fixed by #436
Closed

New release for CVE-2024-24790 #434

giovannirco opened this issue Jul 1, 2024 · 4 comments · Fixed by #436
Assignees
@hypnoglow
Labels
go Pull requests that update Go code
Milestone
0.16.2

Comments

@giovannirco
Copy link

The current version is vulnerable to CVE-2024-24790 

root/.local/share/helm/plugins/helm-s3.git/bin/helm-s3 (gobinary)
=================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.19.13           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Are there any plans for releasing a new version fixing it?
@hypnoglow hypnoglow self-assigned this Jul 4, 2024
@hypnoglow hypnoglow added the go Pull requests that update Go code label Jul 4, 2024
hypnoglow added a commit that referenced this issue Jul 4, 2024
@hypnoglow
Update Go to 1.22.5
f74123e 
Fixes #434
@hypnoglow hypnoglow mentioned this issue Jul 4, 2024
Merged
@hypnoglow hypnoglow added this to the Next milestone Jul 4, 2024
@giovannirco
Copy link
Author

I have jsut tried using this version and still get the vulnerability, it reports go 1.22.0 installed, what am I missing?

root/.local/share/helm/plugins/helm-s3.git/bin/helm-s3 (gobinary)
=================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.0            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

@hypnoglow
Copy link
Owner

I don't think that the fact the binary was build using 1.22.0 is enough to say that it is vulnerable.

@weinguy-env0
Copy link

I'm also still getting it in the scans.
Can we bump to the latest patch version when building the binary so we won't get false positives?

@hypnoglow
Copy link
Owner

v0.16.2 is now released with Go updated to 1.22.5

@hypnoglow hypnoglow modified the milestones: 0.16.1, 0.16.2 Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hypnoglow hypnoglow

Labels
go Pull requests that update Go code
Projects
None yet
Milestone
0.16.2
Development

Successfully merging a pull request may close this issue.

Update Go, golangci-lint hypnoglow/helm-s3
3 participants
@hypnoglow @giovannirco @weinguy-env0