You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, the actual CVE says that it was fixed in 1.17.13 and 1.18.5, so those should not be listed as affected versions.
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
This is just one example. All the pages under https://pkg.go.dev/vuln that I checked have this mistake.
The text was updated successfully, but these errors were encountered:
I believe this is working as intended in CL 411077 but is nonetheless confusing. CC'ing @julieqiu@jba from the Security team. I can understand go1.18.0 - go1.18.5 not being inclusive of go1.18.5 but go1.17.13 and earlier seems incorrect. Should we rework this description or revert to the table configuration?
jamalc
added
WaitingForInfo
Issue is not actionable because of missing required information, which needs to be provided.
and removed
WaitingForInfo
Issue is not actionable because of missing required information, which needs to be provided.
labels
Aug 29, 2022
https://pkg.go.dev/vuln/GO-2022-0537
This page currently reads as follows:
However, the actual CVE says that it was fixed in 1.17.13 and 1.18.5, so those should not be listed as affected versions.
This is just one example. All the pages under https://pkg.go.dev/vuln that I checked have this mistake.
The text was updated successfully, but these errors were encountered: