Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVEs reported in Percona Toolkit version 5.3.2 related to GO

Description

We install the toolkit from the Percona website.
Software link: https://downloads.percona.com/downloads/percona-toolkit/3.5.2/binary/tarball/percona-toolkit-3.5.2_x86_64.tar.gz

After installing the software and scanning the image with Twistlock gives us the below list of CVEs. 

Can we expect a newer tar gz for Linux OS be published and when?

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

      CVE       

SEVERITY

CVSS

  *        PACKAGE *         

VERSION

        STATUS         

PUBLISHED

DISCOVERED

  *                  DESCRIPTION *                   

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

CVE-2023-24538  

critical

9.80

go                        

1.20.2 

fixed in 1.20.3, 1.19.8

17 days  

< 1 hour  

Templates do not properly consider backticks (`)  

                 

         

     

                           

       

6 days ago             

         

           

as Javascript string delimiters, and do not escape

                 

         

     

                           

       

                       

         

           

them as expected. Backticks are used, since ES6,  

                 

         

     

                           

       

                       

         

           

f...                                              

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

CVE-2023-24537  

high    

7.50

go                        

1.20.2 

fixed in 1.20.3, 1.19.8

17 days  

< 1 hour  

Calling any of the Parse functions on Go source   

                 

         

     

                           

       

10 days ago            

         

           

code which contains //line directives with very   

                 

         

     

                           

       

                       

         

           

large line numbers can cause an infinite loop due 

                 

         

     

                           

       

                       

         

           

to i...                                           

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

CVE-2023-24536  

high    

7.50

go                        

1.20.2 

fixed in 1.20.3, 1.19.8

17 days  

< 1 hour  

Multipart form parsing can consume large amounts  

                 

         

     

                           

       

6 days ago             

         

           

of CPU and memory when processing form inputs     

                 

         

     

                           

       

                       

         

           

containing very large numbers of parts. This stems

                 

         

     

                           

       

                       

         

           

from...                                           

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

CVE-2023-24534  

high    

7.50

go                        

1.20.2 

fixed in 1.20.3, 1.19.8

17 days  

< 1 hour  

HTTP and MIME header parsing can allocate large   

                 

         

     

                           

       

5 days ago             

         

           

amounts of memory, even when parsing small inputs,

                 

         

     

                           

       

                       

         

           

potentially leading to a denial of service.       

                 

         

     

                           

       

                       

         

           

Certain...                                        

-----------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+

Environment

None

Activity

Kushal Haldar June 15, 2023 at 2:52 PM

Looks like we PRISMA-2023-0056 found in: percona-toolkit-3.5.3/bin/pt-mongodb-index-check is still outstanding.

Details - 

Severity: Medium

Impacted versions: *

Discovered: less than an hour ago

Published: 34 days ago

Description: The github.com/sirupsen/logrus module of all versions is vulnerable to denial of service. Logging more than 64kb of data in a single entry without newlines causes the log writer function to hang indefinitely.

Details about the vulnerability available on Twistlock tool: PRISMA-2023-0056

I created the ticket - https://jira.percona.com/browse/PT-2229 requesting for resolution.

Sveta Smirnova June 14, 2023 at 8:34 PM

Hi  

yes, we upgraded to Go 1.20.4 in 3.5.3

For example:

$ ./pt-k8s-debug-collector --version pt-k8s-debug-collector Version 3.5.3 Build: 2023-05-30T17:00:22+0000 using go1.20.4 Commit: 5f31c33301c4c26ee11709fd97b7711038ad0a0d

Kushal Haldar June 7, 2023 at 5:38 PM

Did we upgrade the version of GO to 1.20.4 in software version - 3.5.3 that was released recently? 

Sveta Smirnova May 29, 2023 at 3:20 PM

Release is planned for the next week.

Sveta Smirnova May 29, 2023 at 1:54 PM

Thank you for the new set of CVEs. They will be fixed by bumping version of Go to 1.20.4

Done

Details

Assignee

Reporter

Priority

Affects versions

Fix versions

Needs QA

Yes

Smart Checklist

Created April 24, 2023 at 2:22 PM
Updated February 29, 2024 at 8:39 PM
Resolved May 29, 2023 at 1:53 PM

Flag notifications