Upgraded go version for 2.7.x

zpear · May 16, 2023, 9:18pm

Hi all, I'm currently running ECK 2.7.0 but noticed a critical injection cve, CVE-2023-24538, that's brought in from the version of golang ECK runs with. I see since then, the go version has been updated (Update docker.io/library/golang Docker tag to v1.20.4 by renovate[bot] · Pull Request #6752 · elastic/cloud-on-k8s · GitHub).

Would it be possible to release 2.7.x with the upgraded go version to avoid this vulnerability? Alternatively, when is 2.8.0 scheduled to be released?

Thanks

warkolm · May 16, 2023, 11:58pm

Please see Security issues | Elastic for the best way to get a response for possible security issues like this

system · June 13, 2023, 11:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fix for CVE-2021-27568 in 8.1.2 Elastic Cloud on Kubernetes (ECK) docker	2	430	May 3, 2022
ECK operator 1.3 Security vulnerabilities Elastic Cloud on Kubernetes (ECK) docker	3	454	May 27, 2021
Minor security vulnerability Elastic Cloud on Kubernetes (ECK)	2	460	November 4, 2022
ECK 0.8.1 Released Elastic Cloud on Kubernetes (ECK)	1	442	November 4, 2022
ElasticSearch 7.6.1 Vulnerabilities Elastic Cloud on Kubernetes (ECK) docker	0	162	May 1, 2024

Upgraded go version for 2.7.x

Related topics