Critical Golang vulnerability in v0.13.2

[mdfst]

Envconsul version

/usr/local/bin/envconsul --version
envconsul v0.13.2 (dd416ce)

Which is the latest release available
https://github.com/hashicorp/envconsul/releases

Contains critical golang vulnerability

usr/local/bin/envconsul (gobinary)
==================================
Total: 1 (CRITICAL: 1)

Installed version: 1.20.4    
Fixed Version: 1.21.11, 1.22.4

https://nvd.nist.gov/vuln/detail/CVE-2024-24790
golang/go#67680

[marrws]

Related to #324

[marrws]

@armon @catsby @ryanuber @hc-github-team-es-release-engineering I'm really sorry for the ping but this is important.

Can we get a new release so the vulnerabilities don't keep piling up?

[marrws]

Sorry to ping you directly @NicoletaPopoviciu

Can we get a new release so the vulnerabilities don't keep piling up?

[marrws]

Sorry to ping you directly @dhiaayachi

Can we get a new release so the vulnerabilities don't keep piling up?

[chris-peterson]

I hate to respond with "+1", but I'm also in need of a release.

a container I'm using envconsul in got dinged for CVE-2022-23806 (and related)

I believe these would all be resolved by republishing anything after go updated

[noahtrilling]

According to the CODEOWNERS file in this repository, the Consul team are the owners of envconsul. Since the issues in this repository seem unmonitored, I've created an issue in the Consul repository to get the vulnerabilities addressed.

Consul #21879

[1FastSTi]

Also CVE-2023-45288

[dduzgun-security]

Hi all, thanks for reporting the issue and really sorry about the delay on this.
Created #366 to resolve the issue, it should be resolved in the next release.

For future reporting of vulnerabilities, we recommend reaching to the [email protected] email to have faster replies as described in our guide https://www.hashicorp.com/trust/security/vulnerability-management.