Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update go.etcd.io/etcd/client/v3 to fix vulnerability issue CVE-2022-34038 #1272

Closed
wants to merge 1 commit into from

Conversation

malfple
Copy link

@malfple malfple commented Aug 28, 2023

This PR updates go.etcd.io/etcd/client/v3 to fix vulnerability issue CVE-2022-34038

Done by running:

go get -u go.etcd.io/etcd/client/v3
go mod tidy

When doing go mod tidy, I run into issues that would require updating libs for go 1.16 compatibility. Here are some of the messages:

...
github.com/go-kit/kit/metrics/pcp imports
        github.com/performancecopilot/speed/v4 imports
        github.com/HdrHistogram/hdrhistogram-go tested by
        github.com/HdrHistogram/hdrhistogram-go.test imports
        gonum.org/v1/gonum/stat/distuv imports
        gonum.org/v1/gonum/stat imports
        gonum.org/v1/gonum/mat imports
        gonum.org/v1/gonum/blas/blas64 imports
        gonum.org/v1/gonum/blas/gonum imports
        gonum.org/v1/gonum/internal/cmplx64 loaded from gonum.org/v1/gonum@v0.8.2,
        but go 1.16 would select v0.11.0
github.com/go-kit/kit/metrics/pcp imports
        github.com/performancecopilot/speed/v4 imports
        github.com/HdrHistogram/hdrhistogram-go tested by
        github.com/HdrHistogram/hdrhistogram-go.test imports
        gonum.org/v1/gonum/stat/distuv imports
        gonum.org/v1/gonum/stat imports
        gonum.org/v1/gonum/mat imports
        gonum.org/v1/gonum/blas/blas64 imports
        gonum.org/v1/gonum/blas/gonum imports
        gonum.org/v1/gonum/internal/math32 loaded from gonum.org/v1/gonum@v0.8.2,
        but go 1.16 would select v0.11.0

To upgrade to the versions selected by go 1.16:
        go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
        go mod tidy -compat=1.17
For other options, see:
        https://golang.org/doc/modules/pruning

Selected the first option to upgrade to the versions selected by go 1.16

Issue #1271

@peterbourgon
Copy link
Member

Error: ../../../go/pkg/mod/go.uber.org/multierr@v1.11.0/error.go:209:20: undefined: atomic.Bool
note: module requires Go 1.19

@malfple
Copy link
Author

malfple commented Sep 20, 2023

Hi @peterbourgon leaving an update. Our partner that was supposed to detect the vulnerability has decided that this is no longer a vulnerability and we no longer need this change. In addition to your help in pointing out that some of the new libs I added requires go 1.19, I will be closing this PR. Thanks!

@malfple malfple closed this Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants