Packages built using old go version

Description

For instance, Ubuntu Focal pmm-client packages are build using 

 

$ go version pmm-admin pmm-agent
pmm-admin: go1.21
pmm-agent: go1.21

 

while 1.20.10 is the latest one. This cause that security scans report it's affected by the following cves:

CVE-2023-24540
CVE-2023-29402
CVE-2023-29405
CVE-2023-24538
CVE-2023-29404

 

Even it is not directly impacting the client, it causes false-positives for CVE checkers.

How to test

  1. install dev-latest PMM Client

  2. install go

  3. run `go version pmm-admin pmm-agent`

  4. Check that go version is 1.21

 

  1. install PMM Server

  2. install go inside PMM Server

  3. run `go version pmm-managed`

  4. Check that go version is 1.21

How to document

None

AFFECTED CS IDs

CS0040089

Attachments

1
  • 25 Oct 2023, 03:52 PM

Activity

Show:

Nailya Kutlubaeva October 30, 2023 at 4:19 PM

verified:
 

[ec2-user@ip-10-178-1-109 ~]$ strings /usr/bin/pmm-agent | grep 'go1\.' go1.21.3 /usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go go1.21.3 [ec2-user@ip-10-178-1-109 ~]$ strings /usr/bin/pmm-admin | grep 'go1\.' go1.21.3 /usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go go1.21.3 [ec2-user@ip-10-178-1-109 ~]$

Aaditya Dubey October 24, 2023 at 10:59 AM

Hi ,

Verified as described:

vagrant@ubuntu-focal:~$ hostnamectl    Static hostname: ubuntu-focal          Icon name: computer-vm            Chassis: vm         Machine ID: 3b16353bbddf46f89359b09c5f95945b            Boot ID: 39f1aa188c054d76998a5077ced7cebc     Virtualization: oracle   Operating System: Ubuntu 20.04.6 LTS             Kernel: Linux 5.4.0-164-generic       Architecture: x86-64 vagrant@ubuntu-focal:~$ tar -xvf pmm2-client-2.40.0.tar.gz pmm2-client-2.40.0/ pmm2-client-2.40.0/bin/ ... vagrant@ubuntu-focal:~/pmm2-client-2.40.0/bin$ strings pmm-agent | grep 'go1\.' go1.20.1 /usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go go1.20.1

We can see pmm-clients binary still using 1.20.1, Please let me know if anything is required from our end.

Aaditya Dubey October 24, 2023 at 8:13 AM

Sure !

Roma Novikov October 23, 2023 at 1:01 PM

Converting this to Bug  (it's not a user faced feature - the Go version) as the CVE is the bug

+ needs verification as initial feedback from dev team - https://github.com/percona/pmm/pull/2497/files we are already using the  2.21 version for 2.40.0 release 

 

Evgeniy Patlan October 23, 2023 at 10:08 AM

please recheck if we need to use latest go version and update other dependencies if needed

Done

Details

Assignee

Reporter

Priority

Labels

Needs QA

Yes

Planned Version/s

Fix versions

Story Points

Affects versions

Smart Checklist

Created October 23, 2023 at 10:04 AM
Updated March 8, 2024 at 4:54 PM
Resolved October 31, 2023 at 6:58 AM

Flag notifications