tareque
February 23, 2023, 7:36pm
1
Hi folks, GitHub - temporalio/tchannel-go: Go implementation of a multiplexing and framing protocol for RPC calls is importing a fairly old GitHub - uber-go/tally: A Go metrics interface with fast buffered metrics and third party reporters v3.3.15 that uses Thrift 0.10.0
This results in several CVEs.
High vulnerability:
Medium vulnerability:
I see that the most recent commit in tchannel-go explicitly upgrades Thrift to 0.16.0 but 0.10.0 is also included due to the older Tally.
Would it be possible to explore upgrading Tally version in tchannel-go? Thanks.
tihomir
February 25, 2023, 6:25am
3
Hi, thanks a lot for sharing this info. Will get more info from our security team and get back to you asap.
tareque
February 27, 2023, 8:42pm
4
Thank you @tihomir . Please let me know.
tihomir
February 27, 2023, 8:52pm
5
Will do, as soon as I get some info will update here.
tihomir
February 27, 2023, 9:00pm
6
Just to add, we have issue here that is related as well as issue opened with tally here .
tareque
February 27, 2023, 10:35pm
7
Makes sense. It does seem like tally will have to remove that fixed vendoring. They have moved towards Go module so I don’t see why it is still vendored.
tihomir
February 27, 2023, 10:38pm
8
Eng team mentioned that Temporal does have dependency for ringpop, but we do not use the Thrift protocol in any way. We also have plan to deprecate ringpop in the future.
tareque
February 28, 2023, 10:43pm
9
Understood. Thanks for the responses @tihomir
