Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical Golang vulnerability in envconsul v0.13.2 #21879

Closed
noahtrilling opened this issue Oct 28, 2024 · 1 comment
Closed

Critical Golang vulnerability in envconsul v0.13.2 #21879

noahtrilling opened this issue Oct 28, 2024 · 1 comment

Comments

@noahtrilling
Copy link

noahtrilling commented Oct 28, 2024

There are several open issues created for critical Golang vulnerabilities in envconsul 0.13.2 and 0.13.1 that have gone ignored and unresolved.

Critical Golang vulnerability in v0.13.2

There are commits merged into main that update the Golang version, but no new release has been created.

update go version to 1.22.4

According to the CODEOWNERS file, the Consul team owns envconsul.

envconsul CODEOWNERS

Since the issues in the envconsul repository appear to be unmonitored, I am creating an issue here to have the vulnerabilities addressed. Please create a new release of envconsul to resolve the Golang vulnerabilities cited in the envconsul issues.

@dduzgun-security
Copy link
Collaborator

Hi @noahtrilling , thanks for bringing this to our attention. We'll address them soon in the envconsul repository. I'll go ahead and close this as it's a duplicate of the hashicorp/envconsul#362.

For future reporting of vulnerabilities, we recommend using the [email protected] mailing list the have faster replies as described in our guide https://www.hashicorp.com/trust/security/vulnerability-management.

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants