You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're currently using the latest version of the confluent-kafka-go package (version 2.3.0) in our project, accessible at [github.com/confluentinc/confluent-kafka-go/v2:v2.3.0]. However, it's important to note that this version relies on the github.com/opencontainers/runc package, specifically version 1.1.3, which has been flagged with a HIGH vulnerability under CVE-2024-21626.
In light of this vulnerability, we kindly request upgrading the runc package to version 1.1.12 at your earliest convenience. This proactive measure will help ensure the security and stability of the system. Thank you for your attention to this matter.
How to reproduce
NA
Checklist
Please provide the following information:
confluent-kafka-go and librdkafka version (LibraryVersion()):
Apache Kafka broker version:
Client configuration: ConfigMap{...}
Operating system:
Provide client logs (with "debug": ".." as necessary)
Provide broker log excerpts
Critical issue
The text was updated successfully, but these errors were encountered:
Hi @milindl ,
I see that the updated version of runc is 1.1.9.
Could you please consider upgrading to 1.1.12 which does not have any known vulnerabilities?
Thank you.
It's now at 1.1.0, but I can't update it to 1.1.12 without causing breakage in the builds (the tests don't work for me).
You can file an issue in the upstream package which cause this dependency to be fetched, it's github.com/moby/buildkit . I can keep this issue open until there's an update there (and in all the transient packages...) . Alternatively, if you have any workarounds, please feel free to suggest them or make a PR, as long as things are building and the tests are running, I'll be happy to take a look.
Note that this is a dependency used only by the integration tests, not by the library.
Description
Hi team,
We're currently using the latest version of the confluent-kafka-go package (version 2.3.0) in our project, accessible at [github.com/confluentinc/confluent-kafka-go/v2:v2.3.0]. However, it's important to note that this version relies on the github.com/opencontainers/runc package, specifically version 1.1.3, which has been flagged with a HIGH vulnerability under CVE-2024-21626.
In light of this vulnerability, we kindly request upgrading the runc package to version 1.1.12 at your earliest convenience. This proactive measure will help ensure the security and stability of the system. Thank you for your attention to this matter.
How to reproduce
NA
Checklist
Please provide the following information:
LibraryVersion()
):ConfigMap{...}
"debug": ".."
as necessary)The text was updated successfully, but these errors were encountered: