fix vulnerability: CVE-2020-15114 in etcd v3.3.13+incompatible

[bhamail]

We're using Viper in nancy. Thanks so much for a great tool!

During a recent CI build, nancy discovered a vulnerability in a transitive dependency of Viper. This PR includes a replace directive to use a newly released update of that transitive dependency etcd. This transitive dep is pulled in by github.com/bketelsen/crypt.

$ go mod graph | grep coreos/etcd
github.com/bketelsen/[email protected] github.com/coreos/[email protected]+incompatible

I submitted a PR to crypt, so hopefully there will soon be a non-vulnerable version of crypt available, to which Viper can upgrade. Meanwhile, this PR provides a way to use a non-vulnerable version of etcd if you like.

[sagikazarmark]

Thanks, I'll take a look at it soon

[SVilgelm]

no need in this fixes anymore, the issue is fixed in crypto: bketelsen/crypt#10
the go.mod should be updated to use a latest commit or just wait a bit until they bumped new tag

[SVilgelm]

the v0.0.3 is released

[babulalsph]

any update on above vulnerability issue. I am still getting same vulnerability with viper v1.7.1.
github.com/bketelsen/[email protected] github.com/coreos/[email protected]+incompatible

looks like github.com/bketelsen/crypt package has fixed this vulnerability. if we upgrade github.com/bketelsen/crypt with v0.0.3 then it will fix this issue.

Please update apsp. we are fetching this vulnerability in many projects.