I have telegraf binary(1.24.1) as part of one of my app image,and this is the only go dependency it has.
Unfortunately CVE scans reveal several issues:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323
https://nvd.nist.gov/vuln/detail/CVE-2023-29405
(few others too but I am allowed to only put 2 links here)
Going through details for these CVEs, I am not able to figure out how to fix image.
I can’t update telegraf version.
Please help here.
Please help here.
I can’t update telegraf version.
The simplest step would be to update your version of Telegraf, which is on a newer Go version that resolves both of these issues. You will need to build your version of Telegraf with a newer version of Go then, which could be challenging if any additional changes are required.
telegraf binary(1.24.1)
This version of Telegraf was built with Go 1.19.1
Says was fixed in 1.21.2 or newer.
Says it was fixed in 1.20.5 or newer.
So you would need to build with 1.21.2 or newer to resolve both of these issues.
Thanks for the reply.
What do you mean by build here? You mean I need to build telegraf from its source, with appropriate go version?
Yes
If you can’t upgrade the binary to a newer version, then the only way to resolve the CVE is to build the binary with a new version of Go. Like I said, this could take quite a bit of work.
