Requesting new release

[treydock]

Our organization is flagging Choria as vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2024-45337 do to out of date crypto Go dependency. It seems main branch is using new enough but latest release is depends on too old.

go-choria/go.mod

Line 50 in f2e598b

golang.org/x/crypto v0.26.0

[ripienaar]

The vulnerability does not affect Choria. So getting a release out due to that is low priority.

I think you want Windows binaries right? Realistically I am not in a position to continue shipping those binaries. If someone contributed:

1. Moving testing from current CI host to GHA
2. Building msi in GHA

I'd continue to do that, but other than that I dont think there will be further windows releases

[treydock]

I think you want Windows binaries right? Realistically I am not in a position to continue shipping those binaries. If someone contributed:

This is for Linux (RHEL8 and RHEL9 specifically) and systems being scanned by vulnerability scanners looking at vulnerable Go dependencies. Any additional details about why this doesn't affect Choria? I'm not sure saying "This does not affect Choria" would be sufficient for our security team.

[ripienaar]

Choria doesn’t do ssh. The bug is ssh related.