CVE-2024-24790 #367

ZelphirKaltstahl · 2024-08-18T08:17:12Z

Are there any plans to upgrade to a newer version of go? If I understand correctly, 1.21.13-1 should have it fixed.

The text was updated successfully, but these errors were encountered:

jdvorak001 · 2024-08-19T09:02:48Z

... or 1.22.4+ or 1.23.

mholt · 2024-08-19T16:19:45Z

As noted elsewhere this does not really affect Caddy, but a new image with Go 1.23 is probably a good idea.

francislavoie · 2024-08-19T16:51:17Z

No point to keep this open, it's a duplicate.

ZelphirKaltstahl · 2024-08-19T17:22:14Z

Can you link at least to that "elsewhere", so that people searching for this CVE can find that documentation as well? I think that would be helpful.

Edit: Nvm, I found it: #361

mholt · 2024-08-19T17:51:49Z

(It's already linked above ☝️ )

itaysk · 2024-09-01T10:41:45Z

As noted elsewhere this does not really affect Caddy

@mholt
Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub
Feel free to reach me or the Trivy team if you have any issues/feedback.

jdvorak001 mentioned this issue Aug 19, 2024

Current 2.8.4 image contain critical security vulnerability #361

Closed

mholt transferred this issue from caddyserver/caddy Aug 19, 2024

francislavoie closed this as completed Aug 19, 2024

avtar mentioned this issue Oct 16, 2024

Bump golang from 1.22-alpine3.20 to 1.23-alpine3.20 in /2.8/builder #366

Closed

Provide feedback