New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto: Update golang.org/x/text to 0.3.7 #51216
Comments
FYI |
For what it's worth, This is causing some deep scanning vuln checkers to fire - i.e. Synk as it's reading Updating |
Change https://go.dev/cl/387654 mentions this issue: |
Vulnerability scanners that detect this as a vulnerability are firing false positives, and I wish we didn't set the example that it's ok to cause work and churn in all unaffected downstream users of a package with a vulnerability. This is the fifth CL we get to fix a vulnerability that does not affect the modules the CLs are filed against. https://go-review.googlesource.com/c/net/+/241127 This kind of busywork and noise is what discourages packages from reporting vulnerabilities to the database, and precisely what we set out to avoid with govulncheck. /cc @golang/vulndb @golang/security |
@FiloSottile 💯! Trust me, I was annoyed at Synk once I worked out was going on... |
x/crypto
is currently using version 0.3.6 ofgolang.org/x/text
which has a denial of service vulnerability: https://osv.dev/vulnerability/GO-2021-0113.I would like to request that
x/crypto
updates its modules to use version 0.3.7 or higher ofgolang.org/x/text
. Alternatively, if you're confident thatx/crypto
does not call the vulnerable functions, go ahead and close this issue.The text was updated successfully, but these errors were encountered: