CVE-2024-24790: bump go to 1.22.6 #917

sdx-jkataja · 2024-08-20T12:16:29Z

Fixes vulnerability CVE-2024-24790 by updating Go to 1.22.6

Fixes #913

sysadmind · 2024-08-22T15:24:37Z

.circleci/config.yml

@@ -6,7 +6,7 @@ executors:
  # This must match .promu.yml.
  golang:
    docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.22.6


This needs to be changed in .promu.yml as well although there it should just be 1.22.
See here: https://github.com/prometheus/prometheus/blob/main/.promu.yml

Commit fe96c8f

sysadmind · 2024-08-22T15:25:27Z

go.mod

@@ -1,6 +1,6 @@
 module github.com/prometheus-community/elasticsearch_exporter

-go 1.20
+go 1.22.6


I think with a version this new, the toolchain declaration is required.

Please advise on what's needed for the toolchain declaration

Do you mean the following declaration?

go 1.22.6 toolchain go1.22.6

Running go mod tidy removes the toolchain line, so I assume it won't be required.

I think it depends on your local go version. After a second thought, we don't need to change this file at all. This is only a minimum go version and we don't need any new language features so we can leave this as 1.20

I'm go newbie so I had to check, and it appears you're correct. I have go 1.22.5 and when I built the code in master branch and then scan with Syft, it reports that the image contains go standard library 1.22.5.

Should I remove the change in go.mod and rely on CI files to use the updated go version?

Correct, you don't need the change in go.mod and in that case you also don't need the go.sum changes.

Done, I removed that commit

Signed-off-by: Janne Kataja <[email protected]>

mohhai1 · 2024-09-09T14:11:48Z

@sysadmind , kindly, when do we expect w release/tag with the fix?

sysadmind · 2024-09-20T15:00:34Z

https://github.com/prometheus-community/elasticsearch_exporter/releases/tag/v1.8.0

sdx-jkataja force-pushed the CVE-2024-24790 branch from 021f18e to 34f784b Compare August 20, 2024 12:17

sysadmind requested changes Aug 22, 2024

View reviewed changes

sysadmind reviewed Aug 22, 2024

View reviewed changes

sdx-jkataja requested a review from sysadmind August 26, 2024 14:30

sdx-jkataja added 2 commits September 6, 2024 13:32

bump CircleCI builder image

326388d

Signed-off-by: Janne Kataja <[email protected]>

bump go to 1.22

90f6066

Signed-off-by: Janne Kataja <[email protected]>

sdx-jkataja force-pushed the CVE-2024-24790 branch from fe96c8f to 90f6066 Compare September 6, 2024 11:33

sysadmind approved these changes Sep 7, 2024

View reviewed changes

sysadmind merged commit 711a6ce into prometheus-community:master Sep 7, 2024
4 checks passed

sdx-jkataja deleted the CVE-2024-24790 branch September 23, 2024 09:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-24790: bump go to 1.22.6 #917

CVE-2024-24790: bump go to 1.22.6 #917

sdx-jkataja commented Aug 20, 2024

sysadmind Aug 22, 2024

sdx-jkataja Aug 22, 2024

sysadmind Aug 22, 2024

sdx-jkataja Aug 22, 2024

sdx-jkataja Aug 22, 2024

sysadmind Sep 5, 2024

sdx-jkataja Sep 5, 2024

sysadmind Sep 5, 2024

sdx-jkataja Sep 6, 2024 •

edited

Loading

mohhai1 commented Sep 9, 2024

sysadmind commented Sep 20, 2024

CVE-2024-24790: bump go to 1.22.6 #917

CVE-2024-24790: bump go to 1.22.6 #917

Conversation

sdx-jkataja commented Aug 20, 2024

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

sdx-jkataja Sep 6, 2024 • edited Loading

Choose a reason for hiding this comment

mohhai1 commented Sep 9, 2024

sysadmind commented Sep 20, 2024

sdx-jkataja Sep 6, 2024 •

edited

Loading