Upgrade go stdlib to resolve CVEs

bbemis · October 11, 2024, 5:00pm

Hi,

I am using a trivy scan to detect vulnerabilities in my project and we recently discovered a handful of vulnerabilities in the temporal-server image version 1.25.1. Looking at them they all seem to be related to the go stdlib version

would it be possible to upgrade out of these in the next server version?

tihomir · October 14, 2024, 8:30pm

Thanks for reporting. Will report to our security team. For these types of finds always feel free to also create github issue: Issues · temporalio/temporal · GitHub

Yichao_Yang · October 16, 2024, 5:23pm

Yes. We will upgrade golang version to latest 1.23 in our next minor release, 1.26.0, which is planned to go out in Dec. 2024.

Topic		Replies	Views
Security vulnerability in temporal image Server Deployment security	3	616	October 18, 2022
Latest versions of server and UI have security issues Community Support	1	408	November 8, 2022
I want to use version 1.19 of temporal server, if so, which version of go sdk do I need to use? Community Support go-sdk	2	456	May 9, 2023
Version compatibility between Server and SDK Community Support go-sdk	4	1032	August 8, 2024
Upgrade out of CVEs Community Support python-sdk , general-impl	1	114	June 3, 2024

Upgrade go stdlib to resolve CVEs

Related topics