Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all: Fix CVE-2024-45338 #11426

Open
twixthehero opened this issue Jan 9, 2025 · 1 comment
Open

all: Fix CVE-2024-45338 #11426

twixthehero opened this issue Jan 9, 2025 · 1 comment
Labels
needs more info This issue needs more information from the customer to proceed.

Comments

@twixthehero
Copy link

Client

all.

Additional context

CVE-2024-45338 is an issue with golang.org/x/net/html < 0.33.0. While this version is no longer in use because it was recently upgraded, the usage of github.com/google/s2a-go@v0.1.8 causes it to be included transitively.

> go mod graph | grep github.com/google/s2a-go@v0.1.8
cloud.google.com/go/accessapproval github.com/google/s2a-go@v0.1.8
cloud.google.com/go/accesscontextmanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/advisorynotifications github.com/google/s2a-go@v0.1.8
cloud.google.com/go/ai github.com/google/s2a-go@v0.1.8
cloud.google.com/go/aiplatform github.com/google/s2a-go@v0.1.8
cloud.google.com/go/alloydb github.com/google/s2a-go@v0.1.8
cloud.google.com/go/analytics github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apigateway github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apigeeconnect github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apigeeregistry github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apihub github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apikeys github.com/google/s2a-go@v0.1.8
cloud.google.com/go/appengine github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apphub github.com/google/s2a-go@v0.1.8
cloud.google.com/go/apps github.com/google/s2a-go@v0.1.8
cloud.google.com/go/area120 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/artifactregistry github.com/google/s2a-go@v0.1.8
cloud.google.com/go/asset github.com/google/s2a-go@v0.1.8
cloud.google.com/go/assuredworkloads github.com/google/s2a-go@v0.1.8
cloud.google.com/go/auth github.com/google/s2a-go@v0.1.8
cloud.google.com/go/automl github.com/google/s2a-go@v0.1.8
cloud.google.com/go/backupdr github.com/google/s2a-go@v0.1.8
cloud.google.com/go/baremetalsolution github.com/google/s2a-go@v0.1.8
cloud.google.com/go/batch github.com/google/s2a-go@v0.1.8
cloud.google.com/go/beyondcorp github.com/google/s2a-go@v0.1.8
cloud.google.com/go/bigquery github.com/google/s2a-go@v0.1.8
cloud.google.com/go/bigtable github.com/google/s2a-go@v0.1.8
cloud.google.com/go/billing github.com/google/s2a-go@v0.1.8
cloud.google.com/go/binaryauthorization github.com/google/s2a-go@v0.1.8
cloud.google.com/go/certificatemanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/channel github.com/google/s2a-go@v0.1.8
cloud.google.com/go/chat github.com/google/s2a-go@v0.1.8
cloud.google.com/go/cloudbuild github.com/google/s2a-go@v0.1.8
cloud.google.com/go/cloudcontrolspartner github.com/google/s2a-go@v0.1.8
cloud.google.com/go/clouddms github.com/google/s2a-go@v0.1.8
cloud.google.com/go/cloudprofiler github.com/google/s2a-go@v0.1.8
cloud.google.com/go/cloudquotas github.com/google/s2a-go@v0.1.8
cloud.google.com/go/cloudtasks github.com/google/s2a-go@v0.1.8
cloud.google.com/go/commerce github.com/google/s2a-go@v0.1.8
cloud.google.com/go/compute github.com/google/s2a-go@v0.1.8
cloud.google.com/go/confidentialcomputing github.com/google/s2a-go@v0.1.8
cloud.google.com/go/config github.com/google/s2a-go@v0.1.8
cloud.google.com/go/contactcenterinsights github.com/google/s2a-go@v0.1.8
cloud.google.com/go/container github.com/google/s2a-go@v0.1.8
cloud.google.com/go/containeranalysis github.com/google/s2a-go@v0.1.8
cloud.google.com/go/datacatalog github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dataflow github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dataform github.com/google/s2a-go@v0.1.8
cloud.google.com/go/datafusion github.com/google/s2a-go@v0.1.8
cloud.google.com/go/datalabeling github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dataplex github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dataproc/v2 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dataqna github.com/google/s2a-go@v0.1.8
cloud.google.com/go/datastore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/datastream github.com/google/s2a-go@v0.1.8
cloud.google.com/go/deploy github.com/google/s2a-go@v0.1.8
cloud.google.com/go/developerconnect github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dialogflow github.com/google/s2a-go@v0.1.8
cloud.google.com/go/discoveryengine github.com/google/s2a-go@v0.1.8
cloud.google.com/go/dlp github.com/google/s2a-go@v0.1.8
cloud.google.com/go/documentai github.com/google/s2a-go@v0.1.8
cloud.google.com/go/domains github.com/google/s2a-go@v0.1.8
cloud.google.com/go/edgecontainer github.com/google/s2a-go@v0.1.8
cloud.google.com/go/edgenetwork github.com/google/s2a-go@v0.1.8
cloud.google.com/go/errorreporting github.com/google/s2a-go@v0.1.8
cloud.google.com/go/essentialcontacts github.com/google/s2a-go@v0.1.8
cloud.google.com/go/eventarc github.com/google/s2a-go@v0.1.8
cloud.google.com/go/filestore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/firestore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/functions github.com/google/s2a-go@v0.1.8
cloud.google.com/go/gkebackup github.com/google/s2a-go@v0.1.8
cloud.google.com/go/gkeconnect github.com/google/s2a-go@v0.1.8
cloud.google.com/go/gkehub github.com/google/s2a-go@v0.1.8
cloud.google.com/go/gkemulticloud github.com/google/s2a-go@v0.1.8
cloud.google.com/go/grafeas github.com/google/s2a-go@v0.1.8
cloud.google.com/go/gsuiteaddons github.com/google/s2a-go@v0.1.8
cloud.google.com/go/iam github.com/google/s2a-go@v0.1.8
cloud.google.com/go/iap github.com/google/s2a-go@v0.1.8
cloud.google.com/go/identitytoolkit github.com/google/s2a-go@v0.1.8
cloud.google.com/go/ids github.com/google/s2a-go@v0.1.8
cloud.google.com/go/internal/examples/fake github.com/google/s2a-go@v0.1.8
cloud.google.com/go/internal/generated github.com/google/s2a-go@v0.1.8
cloud.google.com/go/internal/godocfx github.com/google/s2a-go@v0.1.8
cloud.google.com/go/iot github.com/google/s2a-go@v0.1.8
cloud.google.com/go/kms github.com/google/s2a-go@v0.1.8
cloud.google.com/go/language github.com/google/s2a-go@v0.1.8
cloud.google.com/go/lifesciences github.com/google/s2a-go@v0.1.8
cloud.google.com/go/logging github.com/google/s2a-go@v0.1.8
cloud.google.com/go/longrunning github.com/google/s2a-go@v0.1.8
cloud.google.com/go/managedidentities github.com/google/s2a-go@v0.1.8
cloud.google.com/go/managedkafka github.com/google/s2a-go@v0.1.8
cloud.google.com/go/maps github.com/google/s2a-go@v0.1.8
cloud.google.com/go/mediatranslation github.com/google/s2a-go@v0.1.8
cloud.google.com/go/memcache github.com/google/s2a-go@v0.1.8
cloud.google.com/go/memorystore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/metastore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/migrationcenter github.com/google/s2a-go@v0.1.8
cloud.google.com/go/monitoring github.com/google/s2a-go@v0.1.8
cloud.google.com/go/netapp github.com/google/s2a-go@v0.1.8
cloud.google.com/go/networkconnectivity github.com/google/s2a-go@v0.1.8
cloud.google.com/go/networkmanagement github.com/google/s2a-go@v0.1.8
cloud.google.com/go/networksecurity github.com/google/s2a-go@v0.1.8
cloud.google.com/go/networkservices github.com/google/s2a-go@v0.1.8
cloud.google.com/go/notebooks github.com/google/s2a-go@v0.1.8
cloud.google.com/go/optimization github.com/google/s2a-go@v0.1.8
cloud.google.com/go/oracledatabase github.com/google/s2a-go@v0.1.8
cloud.google.com/go/orchestration github.com/google/s2a-go@v0.1.8
cloud.google.com/go/orgpolicy github.com/google/s2a-go@v0.1.8
cloud.google.com/go/osconfig github.com/google/s2a-go@v0.1.8
cloud.google.com/go/oslogin github.com/google/s2a-go@v0.1.8
cloud.google.com/go/parallelstore github.com/google/s2a-go@v0.1.8
cloud.google.com/go/phishingprotection github.com/google/s2a-go@v0.1.8
cloud.google.com/go/policysimulator github.com/google/s2a-go@v0.1.8
cloud.google.com/go/policytroubleshooter github.com/google/s2a-go@v0.1.8
cloud.google.com/go/privatecatalog github.com/google/s2a-go@v0.1.8
cloud.google.com/go/privilegedaccessmanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/profiler github.com/google/s2a-go@v0.1.8
cloud.google.com/go/pubsub github.com/google/s2a-go@v0.1.8
cloud.google.com/go/pubsublite github.com/google/s2a-go@v0.1.8
cloud.google.com/go/rapidmigrationassessment github.com/google/s2a-go@v0.1.8
cloud.google.com/go/recaptchaenterprise/v2 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/recommendationengine github.com/google/s2a-go@v0.1.8
cloud.google.com/go/recommender github.com/google/s2a-go@v0.1.8
cloud.google.com/go/redis github.com/google/s2a-go@v0.1.8
cloud.google.com/go/resourcemanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/resourcesettings github.com/google/s2a-go@v0.1.8
cloud.google.com/go/retail github.com/google/s2a-go@v0.1.8
cloud.google.com/go/run github.com/google/s2a-go@v0.1.8
cloud.google.com/go/scheduler github.com/google/s2a-go@v0.1.8
cloud.google.com/go/secretmanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/securesourcemanager github.com/google/s2a-go@v0.1.8
cloud.google.com/go/security github.com/google/s2a-go@v0.1.8
cloud.google.com/go/securitycenter github.com/google/s2a-go@v0.1.8
cloud.google.com/go/securitycentermanagement github.com/google/s2a-go@v0.1.8
cloud.google.com/go/securityposture github.com/google/s2a-go@v0.1.8
cloud.google.com/go/servicecontrol github.com/google/s2a-go@v0.1.8
cloud.google.com/go/servicedirectory github.com/google/s2a-go@v0.1.8
cloud.google.com/go/servicehealth github.com/google/s2a-go@v0.1.8
cloud.google.com/go/servicemanagement github.com/google/s2a-go@v0.1.8
cloud.google.com/go/serviceusage github.com/google/s2a-go@v0.1.8
cloud.google.com/go/shell github.com/google/s2a-go@v0.1.8
cloud.google.com/go/shopping github.com/google/s2a-go@v0.1.8
cloud.google.com/go/spanner github.com/google/s2a-go@v0.1.8
cloud.google.com/go/spanner/test github.com/google/s2a-go@v0.1.8
cloud.google.com/go/speech github.com/google/s2a-go@v0.1.8
cloud.google.com/go/storage github.com/google/s2a-go@v0.1.8
cloud.google.com/go/storageinsights github.com/google/s2a-go@v0.1.8
cloud.google.com/go/storagetransfer github.com/google/s2a-go@v0.1.8
cloud.google.com/go/streetview github.com/google/s2a-go@v0.1.8
cloud.google.com/go/support github.com/google/s2a-go@v0.1.8
cloud.google.com/go/talent github.com/google/s2a-go@v0.1.8
cloud.google.com/go/telcoautomation github.com/google/s2a-go@v0.1.8
cloud.google.com/go/texttospeech github.com/google/s2a-go@v0.1.8
cloud.google.com/go/tpu github.com/google/s2a-go@v0.1.8
cloud.google.com/go/trace github.com/google/s2a-go@v0.1.8
cloud.google.com/go/translate github.com/google/s2a-go@v0.1.8
cloud.google.com/go/vertexai github.com/google/s2a-go@v0.1.8
cloud.google.com/go/video github.com/google/s2a-go@v0.1.8
cloud.google.com/go/videointelligence github.com/google/s2a-go@v0.1.8
cloud.google.com/go/vision/v2 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/visionai github.com/google/s2a-go@v0.1.8
cloud.google.com/go/vmmigration github.com/google/s2a-go@v0.1.8
cloud.google.com/go/vmwareengine github.com/google/s2a-go@v0.1.8
cloud.google.com/go/vpcaccess github.com/google/s2a-go@v0.1.8
cloud.google.com/go/webrisk github.com/google/s2a-go@v0.1.8
cloud.google.com/go/websecurityscanner github.com/google/s2a-go@v0.1.8
cloud.google.com/go/workflows github.com/google/s2a-go@v0.1.8
cloud.google.com/go/workstations github.com/google/s2a-go@v0.1.8
main github.com/google/s2a-go@v0.1.8
cloud.google.com/go/storage@v1.43.0 github.com/google/s2a-go@v0.1.8
google.golang.org/api@v0.214.0 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/auth@v0.13.0 github.com/google/s2a-go@v0.1.8
cloud.google.com/go/iam@v1.2.2 github.com/google/s2a-go@v0.1.8
...
output truncated

> go mod graph | grep -v golang.org/x/net@v0.33. | grep " golang.org/x/net@v0."
github.com/google/martian/v3@v3.3.3 golang.org/x/net@v0.0.0-20190628185345-da137c7871d7
github.com/googleapis/gax-go/v2@v2.14.0 golang.org/x/net@v0.30.0
...
output truncated

There's a lot of libraries that transitively include golang.org/x/net at older versions. s2a-go is just one library that has been updated with a fix. Likely all the dependencies will need to be updated for a complete fix.
@twixthehero twixthehero added the triage me I really want to be triaged. label Jan 9, 2025
@twixthehero twixthehero mentioned this issue Jan 9, 2025
Open
@codyoss
Copy link
Member

codyoss commented Jan 9, 2025

I do not think this is an actual issue. The way Go's MVS for dependencies work is a single version is chosen of a given dependency at a major version. A good way to verify this is to simply run go mod vendor on a module and see which version is calculated. I did not check, but am confident you will find it chooses 0.33.0.

That said we should upgrade s2a regardless, but I do not believe the dependencies at HEAD are susceptible to this issue. But if I am wrong, please correct me.

@codyoss codyoss added needs more info This issue needs more information from the customer to proceed. and removed triage me I really want to be triaged. labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs more info This issue needs more information from the customer to proceed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@twixthehero @codyoss