Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve CVE-2024-24786 #17551

Closed
4 tasks done
ivanvc opened this issue Mar 7, 2024 · 2 comments · Fixed by #17559
Closed
4 tasks done

Resolve CVE-2024-24786 #17551

ivanvc opened this issue Mar 7, 2024 · 2 comments · Fixed by #17559
Assignees
@ivanvc
Labels
area/security dependencies Pull requests that update a dependency file type/feature

Comments

@ivanvc
Copy link
Member

ivanvc commented Mar 7, 2024
edited
Loading

What would you like to be added?

This issue formalizes the work done to address CVE-2024-24786. Addressing it requires bumping google.golang.org/protobuf to v1.33.0.

As part of this task, it was found that neither 3.4 nor 3.5 had enabled the govuln workflow, tracked in #17549.

Why is this needed?

To improve security, resolve the CVE.
@ivanvc
Copy link
Member Author

ivanvc commented Mar 7, 2024

/assign

This was referenced Mar 8, 2024
Merged
Merged
Merged
@jmhbnz jmhbnz added area/security dependencies Pull requests that update a dependency file labels Mar 8, 2024
@ahrtr
Copy link
Member

ahrtr commented Mar 8, 2024

Please update changelog for both 3.4 and 3.5. Thanks.

@ivanvc ivanvc mentioned this issue Mar 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ivanvc ivanvc

Labels
area/security dependencies Pull requests that update a dependency file type/feature
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[3.4][3.5] Changelog: Add CVE-2024-24786 remediation ivanvc/etcd
3 participants
@ivanvc @ahrtr @jmhbnz