Skip to content

Update Go to 1.23.8 for CVE-2025-22871 #4133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
KrzysztofKarol opened this issue Apr 9, 2025 · 4 comments · Fixed by #4134
Closed

Update Go to 1.23.8 for CVE-2025-22871 #4133

KrzysztofKarol opened this issue Apr 9, 2025 · 4 comments · Fixed by #4134

Comments

@KrzysztofKarol
Copy link
Contributor

There is another go vulnerability reported against the esbuild binary that is fixed in 1.23.8

Package: stdlib
Installed Version: v1.23.7
Vulnerability CVE-2025-22871
Severity: UNKNOWN
Fixed Version: 1.23.8, 1.24.2
Link: CVE-2025-22871 
Usages

I create a PR based on #4076 and #4077.
KrzysztofKarol added a commit to KrzysztofKarol/esbuild that referenced this issue Apr 9, 2025
@KrzysztofKarol
fix evanw#4133: Update go 1.23.7 => 1.23.8
45253e5
@KrzysztofKarol KrzysztofKarol mentioned this issue Apr 9, 2025
Merged
dnegreira added a commit to dnegreira/advisories that referenced this issue Apr 15, 2025
@dnegreira
jitsucom-jitsu: add advisory for CVE-2025-22871
799b8de 
Currently the package is pulling esbuild from npm and building it
locally. This also brings esbuild from upstream which is currently
compiled using go1.23.7.
esbuild already has an issue and PR open to have this fixed.
More details here: evanw/esbuild#4133
dnegreira added a commit to dnegreira/advisories that referenced this issue Apr 15, 2025
@dnegreira
jitsucom-jitsu: add advisory for CVE-2025-22871
74f2c99 
Currently the package is pulling esbuild from npm and building it
locally. This also brings esbuild from upstream which is currently
compiled using go1.23.7.
esbuild already has an issue and PR open to have this fixed.
More details here: evanw/esbuild#4133

Signed-off-by: David Negreira <[email protected]>
@dnegreira dnegreira mentioned this issue Apr 15, 2025
Merged
dnegreira added a commit to dnegreira/advisories that referenced this issue Apr 15, 2025
@dnegreira
jitsucom-jitsu: add advisory for CVE-2025-22871
0500fae 
Currently the package is pulling esbuild from npm and building it
locally. This also brings esbuild from upstream which is currently
compiled using go1.23.7.
esbuild already has an issue and PR open to have this fixed.
More details here: evanw/esbuild#4133

Signed-off-by: David Negreira <[email protected]>
github-merge-queue bot pushed a commit to wolfi-dev/advisories that referenced this issue Apr 15, 2025
@dnegreira
jitsucom-jitsu: add advisory for CVE-2025-22871 (#17705)
336952d 
Currently the package is pulling esbuild from npm and building it
locally. This also brings esbuild from upstream which is currently
compiled using go1.23.7.
esbuild already has an issue and PR open to have this fixed.
More details here: evanw/esbuild#4133

Signed-off-by: David Negreira <[email protected]>
@skutner1
Copy link

@evanw looking to see if this can be merged or comment a fix. Thanks.

@gusnaughton
Copy link

@evanw appreciate your time - this is being flagged by static code analysis tools and blocking CI/CD pipelines from proceeding

@whyayala
Copy link

Parroting that this also raised a flag on our vulnerability scanner and while not a blocker it is a point of pressure we're receiving from our security team.

evanw pushed a commit that referenced this issue Apr 22, 2025
@KrzysztofKarol
fix #4133: Update go 1.23.7 => 1.23.8 (#4134)
09748c4
@BrewTestBot BrewTestBot mentioned this issue Apr 23, 2025
Merged
@dbaltor
Copy link

dbaltor commented Apr 23, 2025

Great work! 🎉
Much appreciated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #4133: Update go 1.23.7 => 1.23.8 KrzysztofKarol/esbuild
5 participants
@gusnaughton @whyayala @KrzysztofKarol @dbaltor @skutner1