CVE-2024-45337 - golang.org/x/crypto

[TidbitSoftware]

Bug description

Getting "CVE-2024-45337 - golang.org/x/crypto" from Amazon Inspector on a TLJH installation on AWS. Its asks that the crypto package be upgraded to version 0.31.0, but I'm having a hard time finding the go binary in the hub environment. Could you please advise on how to upgrade?

[manics]

The only binary compiled from Go that I'm aware of is Traefik.
https://github.com/jupyterhub/the-littlest-jupyterhub/blob/main/tljh%2Ftraefik.py#L32
Does switching to the latest version resolve the CVE warning?

[TidbitSoftware]

Not sure that I know how to go about doing so. I've upgrade TLJH using the regular install procedure. Over SSH, if I do source /opt/tljh/hub/bin/activate, then once the hub env is active, pip show traefik, I get "WARNING: Package(s) not found: traefik". pip list | grep traefik does show "jupyterhub-traefik-proxy 2.0.0", but I'm not sure that's where the binary is from.

[minrk]

Traefik can be downloaded by that package, but it is not part of it. You can get a fresh traefik binary with:

python3 -m jupyterhub_traefik_proxy.install --traefik-version 3.4.0

which will download a binary to ./depenencies/traefik. You can then move it to replace the currently installed traefik.