runc package is not updated in the go.mod file #1139
Comments
|
Hi @milindl , |
|
That makes sense, let me check if I can make that change in the PR itself, given that it's an indirect dependency. |
|
It's now at 1.1.0, but I can't update it to 1.1.12 without causing breakage in the builds (the tests don't work for me). You can file an issue in the upstream package which cause this dependency to be fetched, it's github.com/moby/buildkit . I can keep this issue open until there's an update there (and in all the transient packages...) . Alternatively, if you have any workarounds, please feel free to suggest them or make a PR, as long as things are building and the tests are running, I'll be happy to take a look. Note that this is a dependency used only by the integration tests, not by the library. |
Description
Hi team,
We're currently using the latest version of the confluent-kafka-go package (version 2.3.0) in our project, accessible at [github.com/confluentinc/confluent-kafka-go/v2:v2.3.0]. However, it's important to note that this version relies on the github.com/opencontainers/runc package, specifically version 1.1.3, which has been flagged with a HIGH vulnerability under CVE-2024-21626.
In light of this vulnerability, we kindly request upgrading the runc package to version 1.1.12 at your earliest convenience. This proactive measure will help ensure the security and stability of the system. Thank you for your attention to this matter.
How to reproduce
NA
Checklist
Please provide the following information:
LibraryVersion()):ConfigMap{...}"debug": ".."as necessary)The text was updated successfully, but these errors were encountered: