lostluck commented on issue #31913: URL: https://github.com/apache/beam/issues/31913#issuecomment-2248147044
This will be fixed with the 2.58 release currently in validation. The CVE was fixed as part of the Go 1.22.4 release and the Beam 2.58 release binaries are using Go 1.22.5. See https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ The go version for the boot loaders were updated in https://github.com/apache/beam/pull/31812 which is part of the release. The other linked issues are unrelated depreciated docker package issues that do not affect the SDK bootloaders. The docker package isn't well behaved and constantly makes breaking changes in minor versions. But as it's merely calling out to the local docker daemon the risks are much lower. Again, docker is *not* used on the SDK boot path. It's used in this instance by the prism runner for local use. I'm going to close this issue as a result of the above, but thank you for the report! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
