Packages built using old go version
General
Escalation
General
Escalation
Description
How to test
install dev-latest PMM Client
install go
run `go version pmm-admin pmm-agent`
Check that go version is 1.21
install PMM Server
install go inside PMM Server
run `go version pmm-managed`
Check that go version is 1.21
How to document
None
AFFECTED CS IDs
CS0040089
Attachments
1
- 25 Oct 2023, 03:52 PM
Activity
Show:
Nailya Kutlubaeva October 30, 2023 at 4:19 PM
verified:
[ec2-user@ip-10-178-1-109 ~]$ strings /usr/bin/pmm-agent | grep 'go1\.'
go1.21.3
/usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
go1.21.3
[ec2-user@ip-10-178-1-109 ~]$ strings /usr/bin/pmm-admin | grep 'go1\.'
go1.21.3
/usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
go1.21.3
[ec2-user@ip-10-178-1-109 ~]$
Aaditya Dubey October 24, 2023 at 10:59 AM
Hi @Roma Novikov,
Verified as described:
vagrant@ubuntu-focal:~$ hostnamectl
Static hostname: ubuntu-focal
Icon name: computer-vm
Chassis: vm
Machine ID: 3b16353bbddf46f89359b09c5f95945b
Boot ID: 39f1aa188c054d76998a5077ced7cebc
Virtualization: oracle
Operating System: Ubuntu 20.04.6 LTS
Kernel: Linux 5.4.0-164-generic
Architecture: x86-64
vagrant@ubuntu-focal:~$ tar -xvf pmm2-client-2.40.0.tar.gz
pmm2-client-2.40.0/
pmm2-client-2.40.0/bin/
...
vagrant@ubuntu-focal:~/pmm2-client-2.40.0/bin$ strings pmm-agent | grep 'go1\.'
go1.20.1
/usr/local/go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
go1.20.1
We can see pmm-clients binary still using 1.20.1, Please let me know if anything is required from our end.
Aaditya Dubey October 24, 2023 at 8:13 AM
Sure @Roma Novikov !
Roma Novikov October 23, 2023 at 1:01 PM
Converting this to Bug (it's not a user faced feature - the Go version) as the CVE is the bug
+ needs verification as initial feedback from dev team - https://github.com/percona/pmm/pull/2497/files we are already using the 2.21 version for 2.40.0 release
Evgeniy Patlan October 23, 2023 at 10:08 AM
@Nurlan Moldomurov please recheck if we need to use latest go version and update other dependencies if needed
Done
Created October 23, 2023 at 10:04 AM
Updated March 8, 2024 at 4:54 PM
Resolved October 31, 2023 at 6:58 AM
For instance, Ubuntu Focal pmm-client packages are build using
$ go version pmm-admin pmm-agent
pmm-admin: go1.21
pmm-agent: go1.21
while 1.20.10 is the latest one. This cause that security scans report it's affected by the following cves:
CVE-2023-24540
CVE-2023-29402
CVE-2023-29405
CVE-2023-24538
CVE-2023-29404
Even it is not directly impacting the client, it causes false-positives for CVE checkers.