[PT-2229] CVE reported in Percona Toolkit version 3.5.3 related to Logrus - Percona JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: Medium
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.5.4
Component/s: None
Labels:
None

Needs QA:
Yes
Needs Deploy:
Yes

Description

We install the toolkit from the Percona website.
Software link: https://downloads.percona.com/downloads/percona-toolkit/3.5.2/binary/tarball/percona-toolkit-3.5.3_x86_64.tar.gz

After installing the software and scanning the image with Twistlock gives us the below list of CVE.
PRISMA-2023-0056 medium /tmp/percona-toolkit-3.5.3/bin/pt-mongodb-index-check open
PRISMA-2023-0056

Severity: Medium

Impacted versions: *

Discovered: less than an hour ago

Published: 34 days ago

Description: The github.com/sirupsen/logrus module of all versions is vulnerable to denial of service. Logging more than 64kb of data in a single entry without newlines causes the log writer function to hang indefinitely.

Details about the vulnerability available on Twistlock tool: PRISMA-2023-0056

Can we expect a newer tar gz for Linux OS to get published and when?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Kushal Haldar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Jun/23 2:49 PM

Updated:: 30/Jun/23 4:33 PM

Resolved:: 29/Jun/23 2:23 PM