Is CRI-O affected by CVE-2024-45337? #8849
-
|
Is CRI-O affected by CVE-2024-45337? I suspect not but wanted to check. More info on the CVE at GHSA-v778-237x-gjrc |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Thank you! I noted that this module was listed as 'indirect' but was note really able to generate enough of a dependency graph to understand where it was being consumed. Thank you both for your prompt and informative responses. |
Beta Was this translation helpful? Give feedback.
-
|
To add. While the update to the golang.org/x/crypto package is always nice and welcomed, CRI-O is unaffected by this specific vulnerability. We are not calling or using this API, nor are any of our dependencies, as far as I can tell. We should be good. |
Beta Was this translation helpful? Give feedback.
-
|
#8845 should address the issue. Once merged, we will backport this to all supported versions of CRI-O. |
Beta Was this translation helpful? Give feedback.
To add. While the update to the golang.org/x/crypto package is always nice and welcomed, CRI-O is unaffected by this specific vulnerability. We are not calling or using this API, nor are any of our dependencies, as far as I can tell.
We should be good.