8000 (security): Bump golang.org/x/net module by milosgajdos · Pull Request #4542 · distribution/distribution · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

(security): Bump golang.org/x/net module #4542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2025
Merged

(security): Bump golang.org/x/net module #4542

merged 1 commit into from
Jan 10, 2025

Conversation

milosgajdos
Copy link
Member

@milosgajdos
(security): Bump golang.org/x/net module
38fd91a 
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Dec 20, 2024
@thaJeztah
Copy link
Member

Can you remove the "security" from the PR and commit message to not scare people; this is a false positive as we don't use this code; vulnerability is in the html package;

Version v0.33.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.

Which is not in use;

ls -l vendor/golang.org/x/net/
total 8
-rw-r--r--  1 root root 1453 Dec 10 09:39 LICENSE
-rw-r--r--  1 root root 1303 Oct 10 07:33 PATENTS
drwxr-xr-x  3 root root   96 Nov  4 09:20 http
drwxr-xr-x 27 root root  864 Dec 10 09:39 http2
drwxr-xr-x 17 root root  544 Nov  4 09:20 idna
drwxr-xr-x  3 root root   96 Oct 10 07:33 internal
drwxr-xr-x  5 root root  160 Nov  4 09:20 trace

And confirmed by govulncheck that there's no vulnerabilities in our code;

git rev-parse --verify HEAD
4890d9e03616d563083fa944aaa083cc49b54ff5

git describe --tags --match="v[0-9]*" HEAD
v3.0.0-rc.2

go install golang.org/x/vuln/cmd/govulncheck@latest

govulncheck -show=verbose ./...
Scanning your code and 840 packages across 109 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-3333
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2024-3333
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.30.0
    Fixed in: golang.org/x/net@v0.33.0

Vulnerability #2: GO-2022-0646
    CBC padding oracle issue in AWS S3 Crypto SDK for golang in
    github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.55.5
    Fixed in: N/A

Vulnerability #3: GO-2022-0635
    In-band key negotiation issue in AWS S3 Crypto SDK for golang in
    github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0635
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.55.5
    Fixed in: N/A

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

@milosgajdos
Copy link
Member Author

No need to scrape anything IMHO.

Anything that has a CVE assigned IS a security vulnerability: Yes, I do know we don't use it but that doesn't mean that we shouldn't patch or that we shouldn't mark it as a security issue

Besides, we are not here to make people feel good about their deployments 🤷‍♂️

@thaJeztah
Copy link
Member

Point is that I want to reduce noise and I'm already getting a ton of that in just about every repository that's using Go; if possible avoid ambiguity (as it's not fixing an issue in this repository)

wy65701436
wy65701436 approved these changes Dec 23, 2024
View reviewed changes
Copy link
Collaborator
@wy65701436 wy65701436 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@milosgajdos
Copy link
Member Author

Ping @davidspek

davidspek
davidspek approved these changes Jan 10, 2025
View reviewed changes
Copy link
Collaborator
@davidspek davidspek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the slow response.

@milosgajdos milosgajdos merged commit 3270367 into distribution:main Jan 10, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wy65701436 wy65701436 wy65701436 approved these changes

@davidspek davidspek davidspek approved these changes

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

@joaodrp joaodrp Awaiting requested review from joaodrp

@squizzi squizzi Awaiting requested review from squizzi

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@milosgajdos @thaJeztah @wy65701436 @davidspek
0