x/net: module depends on vulnerable version of x/text@v0.3.0 #40597

jasdel · 2020-08-06T00:12:56Z

What version of Go are you using (`go version`)?

go version go1.14 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (`go env`)?

go env Output

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jasdel/Library/Caches/go-build"
GOENV="/Users/jasdel/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/jasdel/workspace/golang"
GOPRIVATE=""
GOPROXY="direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/jasdel/workspace/sdk/aws-sdk-go-v2/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/zn/blg7pz1d5z78rx6ft728rb21ynfdwy/T/go-build723822923=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

The golang.org/x/net@latest module has a dependency on golang.org/x/text@v0.3.0 module which has a known vulnerability, CVE-2020-14040. golang.org/x/text tag v0.3.3 resolves the issue.

I help maintain a library that has a dependency on on golang.org/x/net, and the CVE for golang.org/x/text@v0.3.0 is getting flagged as a vulnerability for users of the library i help maintain, aws/aws-sdk-go#3457. The best workaround I think I can suggest for users is to add a replace statement in their application's go.mod until golang.org/x/net is updated.

go mod edit --replace=golang.org/x/text@v0.3.0=golang.org/x/text@v0.3.3

What did you expect to see?

The golang.org/x/net/@latest module depend on golang.org/x/text@v0.3.3.

PR golang/net#77 updates the golang.org/x/net module, but looks like may not of been accepted due to the May - July code freeze.

What did you see instead?

golang.org/x/net@latest depends on golang.org/x/text@v0.3.0

The text was updated successfully, but these errors were encountered:

toothrot · 2020-08-07T17:15:34Z

/cc @bradfitz @ianlancetaylor

jasdel · 2020-11-17T17:40:37Z

Looks like this issue can be closed, because the golang.org/x/net go.sum was updated in golang/net@a7d1128

gopherbot added this to the Unreleased milestone Aug 6, 2020

golang deleted a comment Aug 6, 2020

toothrot changed the title ~~x/net depends on vulnerable version v0.3.0 x/text~~ x/net: module depends on vulnerable version of x/text@v0.3.0 Aug 7, 2020

toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 7, 2020

jasdel closed this as completed Nov 17, 2020

golang locked and limited conversation to collaborators Nov 17, 2021

gopherbot added the FrozenDueToAge label Nov 17, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/net: module depends on vulnerable version of x/text@v0.3.0 #40597

x/net: module depends on vulnerable version of x/text@v0.3.0 #40597

jasdel commented Aug 6, 2020

toothrot commented Aug 7, 2020

jasdel commented Nov 17, 2020

x/net: module depends on vulnerable version of x/text@v0.3.0 #40597

x/net: module depends on vulnerable version of x/text@v0.3.0 #40597

Comments

jasdel commented Aug 6, 2020

What version of Go are you using (go version)?

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

toothrot commented Aug 7, 2020

jasdel commented Nov 17, 2020

What version of Go are you using (`go version`)?

What operating system and processor architecture are you using (`go env`)?