Golang vulnerabilities in v0.13.1

[FabienLfy]

Envconsul version

envconsul v0.13.1

CVE Vulnerabilities

Here is a list of Golang vulnerabilities that can be fixed by doing a version upgrade of the package:

• CVE-2022-41716 -> fixed in 1.19.3, 1.18.8
• CVE-2022-2879 -> fixed in 1.19.2, 1.18.7
• CVE-2022-41715 -> fixed in 1.19.2, 1.18.7
• CVE-2022-2880 -> fixed in 1.19.2, 1.18.7

[Woolleysi]

In addition, Trivy scanner identifies vulnerabilities in:

golang.org/x/net

• CVE-2022-41721
• CVE-2022-41723
• CVE-2022-41717

golang.org/x/text

• CVE-2022-32149

Thanks

[marrws]

In addition, Trivy scanner identifies vulnerabilities in:

golang.org/x/net

• CVE-2022-41721
• CVE-2022-41723
• CVE-2022-41717

This has been addressed by the bot in #344 and #347

golang.org/x/text
* CVE-2022-32149
Thanks

This one should be solved by 2794ee0

[marrws]

@hc-github-team-es-release-engineering Since #344 and #347 have been merged. Can we get a new release of envcosul with these fixes?

[zffocussss]

I agree with @marrws ,we need a new release including the security fixes

[marrws]

We got v0.13.2 on may 22
Sorry, misread the release

[marrws]

@armon @catsby @ryanuber @hc-github-team-es-release-engineering I'm really sorry for the ping but this is important.

Can we get a new release so the vulnerabilities don't keep piling up?

[dduzgun-security]

Thanks for reporting. Closing duplicated issue to centralize conversation/updates in this issue #362 and this PR #366. A fix should be available on the next release.

For future reporting of vulnerabilities, we recommend reaching to the security@hashicorp.com email to have faster replies as described in our guide https://www.hashicorp.com/trust/security/vulnerability-management.

[dduzgun-security]

Thanks a lot for your patience, https://github.com/hashicorp/envconsul/releases/tag/v0.13.3 is now available.