Please recompile with a newer version of stdlib + golang.org/x/crypto

[erickpeirson]

Hey folks; the latest version of teradatasql 20.0.0.20 (specifically the artifacts teradatasql.dylib and teradatasql.so) was compiled against stdlib version 1.22.4. This version of stdlib is affected by the following vulnerabilities:

• CVE-2024-34158
• CVE-2024-24791
• CVE-2024-34156
• CVE-2024-34155

That library also includes the Go dependency golang.org/x/crypto version 0.24.0, which is subject to the following vulnerability:

• CVE-2024-45337

Many vulnerability scanners score these as "high severity," which means that enterprise users will have difficulty availing themselves of this library in secure environments.

Would it be possible to release a fresh build against:

• stdlib version 1.22.7 or newer
• golang.org/x/crypto version 0.31.0 or newer

Thanks in advance!

[erickpeirson]

Friendly nudge @tomcnolan

[tomcnolan]

Thanks @erickpeirson we will look into this. Closing this PR.

[mdediana]

@erickpeirson Thanks for working on this!

Is there a way to know when the new version with the fix is rolled out? Apparently 20.0.0.21 released on Dec 12 doesn't fix it yet. Maybe if Github Issues was allowed in this repo it would be simpler to track this type of issue.

[tomcnolan]

Our next build is likely to be in January 2025. Just FYI, the Teradata Python driver and GoSQL driver do not use any of the APIs affected by the CVEs listed above.

[erickpeirson]

Our next build is likely to be in January 2025. Just FYI, the Teradata Python driver and GoSQL driver do not use any of the APIs affected by the CVEs listed above.

@tomcnolan appreciate that. The reality is that enterprise security teams don't really care whether the software is impacted in fact; just that their vulnerability scanner is flagging.

What this will mean for software that uses teradatasql is that we won't be able to ship updates to those customers until a teradatasql build comes out that does not get flagged for the vulnerabilities listed above.

[erickpeirson]

Hey @tomcnolan, happy new year! Touching base on the issues above. We upgraded to teradatasql 20.0.0.22, but unfortunately (unless we're misreading, which is possible) it does not appear to include upgrades to stdlib nor golang.org/x/crypto sufficient to resolve the CVEs listed above.

Do you have a sense of when these might be addressed? Appreciate your help!

[tomcnolan]

Hi @erickpeirson

We are waiting for:
golang/go#69988 runtime: severe performance drop for cgo calls in go1.22.5 [1.23 backport]

which is being shipped to Go 1.23.5 https://github.com/golang/go/milestone/379?closed=1

We will be able to proceed after Go 1.23.5 is available.

[tomcnolan]

We shipped Teradata SQL Driver for Python 20.0.0.23 which is built with Go 1.23.5 and golang.org/x/crypto v0.32.0

[erickpeirson]

@tomcnolan Really appreciate it! This cleared the CVEs mentioned above.

In the future, is there a better way to reach you than opening fake PRs? ;-) Thoughts on opening the Issues feature on the repo?

Thanks again!

[tomcnolan]

@erickpeirson Sorry, no, we have no plans to enable the Issues tab on the repo. We do not intend to use GitHub as a support channel, and we want to avoid fake PRs for support.

Our intended support channels are listed in the Python driver README:
Teradata Customer Support is available at https://support.teradata.com/
Community support is available at https://support.teradata.com/community