Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1 #363

Closed
estokes-vs opened this issue Dec 7, 2022 · 2 comments · Fixed by #365
Closed

CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1 #363

estokes-vs opened this issue Dec 7, 2022 · 2 comments · Fixed by #365
Assignees
@rikez

Comments

@estokes-vs
Copy link

Our security scanner flagged chamber for a Go vulnerability that exists in versions older then 1.18.6 and 1.19.1. It looks like chamber uses Go 1.13. Is there a current effort to patch this vulnerability or can it be added to the roadmap? Thanks!

https://nvd.nist.gov/vuln/detail/CVE-2022-27664
@rikez
Copy link
Contributor

rikez commented Dec 7, 2022

Hi @estokes-vs, I filed a ticket internally to investigate this vuln. We will be looking into that soon.

@rikez rikez self-assigned this Dec 12, 2022
This was referenced Dec 12, 2022
Closed
Merged
@rikez
Copy link
Contributor

rikez commented Dec 15, 2022

@estokes-vs This is mitigated on chamber v2.11.0.

@dli-spoton dli-spoton mentioned this issue Jan 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rikez rikez

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: mitigate CVE-2022-27664 segmentio/chamber
feat: update go version segmentio/chamber
2 participants
@rikez @estokes-vs