Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

put CVE-2022-27191 on the not-vulnerable list #688

Merged
merged 1 commit into from
Aug 21, 2023
Merged

put CVE-2022-27191 on the not-vulnerable list #688

merged 1 commit into from
Aug 21, 2023

Conversation

jmazzitelli
Copy link
Contributor

@jmazzitelli jmazzitelli commented Aug 21, 2023
edited
Loading

Kiali does not match the described conditions as detailed here: https://groups.google.com/g/golang-announce/c/-cp44ypCT5shttps://groups.google.com/g/golang-announce/c/-cp44ypCT5s (specifically, the Kiali server is NOT "configured by passing a Signer to ServerConfig.AddHostKey").

Moreover, it does not appear that Kiali or any of its dependencies even pulls in "golang.org/x/crypto/ssh" which is the affected component:

$ go mod why golang.org/x/crypto/ssh
# golang.org/x/crypto/ssh
(main module does not need package golang.org/x/crypto/ssh)

$ go mod graph | grep golang.org/x/crypto/ssh
<returns empty>

Additionally, this report: GHSA-8c26-wmh5-6g9v shows it is only applicable up to Go v1.17.8, but the latest Kiali v1.72 uses Go 1.20.

$ podman run -it quay.io/kiali/kiali:v1.72.0 | grep "Go:"
2023-08-21T16:07:14Z INF Kiali: Version: v1.72.0, Commit: 7208cd1767e8347b00bff10391130d7bcc824548, Go: 1.20.5

Thus, Kiali is unaffected by this vulnerability detailed in CVE-2022-27191; as such there are no plans to change anything in Kiali for this issue.

netlify link: https://deploy-preview-688--kiali.netlify.app/news/security-bulletins/

@jmazzitelli jmazzitelli self-assigned this Aug 21, 2023
aljesusg
aljesusg approved these changes Aug 21, 2023
View reviewed changes
Copy link
Contributor

@aljesusg aljesusg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGFM

@jmazzitelli jmazzitelli merged commit 2628778 into kiali:staging Aug 21, 2023
4 of 5 checks passed
@jmazzitelli jmazzitelli deleted the cve-2022-27191 branch August 21, 2023 16:23
hhovsepy pushed a commit to hhovsepy/kiali.io that referenced this pull request Apr 5, 2024
@jmazzitelli @hhovsepy
put CVE-2022-27191 on the not-vulnerable list (kiali#688)
8a2bab4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aljesusg aljesusg aljesusg approved these changes

Assignees

@jmazzitelli jmazzitelli

Labels
None yet
Projects
Kiali Sprint 24-15 | Kiali v2.2
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jmazzitelli @aljesusg