Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ CVE-2024-6104 ] Update github.com/hashicorp/go-retryablehttp package #13079

Closed
kalpanathanneeru21 opened this issue Jun 28, 2024 · 3 comments · Fixed by #13081
Closed

[ CVE-2024-6104 ] Update github.com/hashicorp/go-retryablehttp package #13079

kalpanathanneeru21 opened this issue Jun 28, 2024 · 3 comments · Fixed by #13081
Labels
needs-reply question

Comments

@kalpanathanneeru21
Copy link

Currently we are observing security vulnerability with packer.

Packer Version : 1.10.3 / v1.11.0
CVE- CVE-2024-6104
Severity : MEDIUM

"vulnerabilities": [
[2024-06-28T07:32:13.641Z]         {
[2024-06-28T07:32:13.641Z]           "vulnerability_id": "CVE-2024-6104",
[2024-06-28T07:32:13.641Z]           "severity": "MEDIUM",
[2024-06-28T07:32:13.641Z]           "pkg_name": "github.com/hashicorp/go-retryablehttp",
[2024-06-28T07:32:13.641Z]           "pkg_path": "",
[2024-06-28T07:32:13.641Z]           "installed_version": "v0.7.0",
[2024-06-28T07:32:13.641Z]           "fixed_version": "0.7.7",
[2024-06-28T07:32:13.641Z]           "cvss_v2_score": "",
[2024-06-28T07:32:13.641Z]           "cvss_v3_score": "5.5",
[2024-06-28T07:32:13.641Z]           "status_summary": {
[2024-06-28T07:32:13.641Z]             "priority": "INFO",
[2024-06-28T07:32:13.641Z]             "status": "WARNING"
[2024-06-28T07:32:13.641Z]           }
[2024-06-28T07:32:13.641Z]         }
[2024-06-28T07:32:13.641Z]       ],

So wanted to any plan on releasing patch for this in next release. if not when can we expect release with this patch.
@github-actions GitHub Actions
Copy link 

Hi 👋 thanks for reaching out.

For general questions we recommend reaching out to the [community forum](https://discuss.hashicorp.com/c/packer) for greater visibility.
As the GitHub issue tracker is only watched by a small subset of maintainers and is really reserved for bugs and enhancements, you'll have a better chance of finding someone who can help you in the forum.
We'll mark this issue as needs-reply to help inform maintainers that this question is awaiting a response.
If no activity is taken on this question within 30 days it will be automatically closed.

If you find the forum to be more helpful or if you've found the answer to your question elsewhere please feel free to post a response and close the issue.

@nywilken nywilken mentioned this issue Jun 28, 2024
Merged
@nywilken
Copy link
Contributor

Thanks for bubbling up this issue. A pull-request has been to address this vulnerability - a subsequent change has been made to the Packer SDK, as well. We will release Packer 1.11.1 next week. Given our LTS support model we will only update the latest version of Packer, and will not back port to 1.10.3.

Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
needs-reply question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump github.com/hashicorp/go-retryablehttp to address CVE-2024-6104 hashicorp/packer
2 participants
@nywilken @kalpanathanneeru21