Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/mod: uses crypto version with CVE #48943

Closed
alexhudici opened this issue Oct 13, 2021 · 3 comments
Closed

x/mod: uses crypto version with CVE #48943

alexhudici opened this issue Oct 13, 2021 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@alexhudici
Copy link

CVE-2020-9283
synk.io
cve.mitre.org

Does this issue reproduce with the latest release?

The master branch currently has v0.0.0-20191011191535-87dc89f01550
@gopherbot gopherbot added this to the Unreleased milestone Oct 13, 2021
@toothrot toothrot added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 13, 2021
@toothrot toothrot changed the title x/mod uses crypto version with CVE x/mod: uses crypto version with CVE Oct 13, 2021
@toothrot
Copy link
Contributor

@bcmills @jayconrod @matloob

@jayconrod
Copy link
Contributor

jayconrod commented Oct 13, 2021
edited

The only package in golang.org/x/crypto transitively imported by packages in golang.org/x/mod is golang.org/x/crypto/ed25519, so I don't believe we're affected by this.

Of course, there's no harm in updating the dependency.

(In the future, it's preferred to report security issues by emailing security@golang.org instead of opening a public issue, in case a vulnerability needs to be resolved discreetly. https://golang.org/security explains more).

@gopherbot
Copy link

Change https://golang.org/cl/355630 mentions this issue: x/mod: update requirement on x/crypto

@golang golang locked and limited conversation to collaborators Oct 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@toothrot @jayconrod @alexhudici @gopherbot