Facing vulnerability with stdlib and google.golang.org/grpc

[rujutaghanekar]

Facing vulnerability with stdlib package

• CVE-2024-24791
• Present in golang 1.22.4 version
• Fixed in golang 1.22.5 version

Facing vulnerability with google.golang.org/grpc

• GHSA-xr7q-jx4m-x55m
• installed_version -> v1.64.0
• fixed_version -> v1.64.1

We use grpc-health-probe in our project.
Our scans are failing because of mentioned vulnerabilities.
Please update package and golang versions.

[ahmetb]

gPRC-go module is already updated to 1.65. And http/1.1 vuln doesn't impact grpc, so it's irrelevant.

[trend-shihyi-wu]

Currently, we are also using the grpc-health-probe tool in our project, and we encountered a failed security scan due to the mentioned vulnerability.
If possible, we would appreciate an update as soon as possible.
Thank you.

[stefanb]

A new release 0.4.38 was released yesterday, including fixes for all currently publicly known security issues.

See https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.4.38