Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto: imports vulnerable x/net #63805

Open
rjboer opened this issue Oct 28, 2023 · 4 comments
Open

x/crypto: imports vulnerable x/net #63805

rjboer opened this issue Oct 28, 2023 · 4 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@rjboer
Copy link

rjboer commented Oct 28, 2023
edited

What version of Go are you using (go version)?

$ go version 1.20

Does this issue reproduce with the latest release?

YES

What operating system and processor architecture are you using (go env)?

x64 windows

What did you do?

vulnarebility scanners show error: CVE-2023-44487, CVE-2023-3978 based on a realy old x/net library being referenced in the x/crypto go.mod file. Complete bullshit ofcourse, since the crypto lib itself is not vulnarable to those weaknesses.
It however hinders automatic scanning of opensource projects and obscures real cybersecurity threats (false positive).

golang.org/x/crypto@v0.14.0 › golang.org/x/net@v0.10.0
Fixed in golang.org/x/net@0.17.0

Please update the go.mod file of package x/crypto to x/net to version > 0.17
@mauri870 mauri870 changed the title affected/package: x/crypto: old x/net version referenced x/crypto: imports vulnerable x/net Oct 29, 2023
@gopherbot gopherbot added this to the Unreleased milestone Oct 29, 2023
@mauri870 mauri870 added Security NeedsFix The path to resolution is known, but the work has not been done. labels Oct 29, 2023
@mauri870
Copy link
Member

Will be addressed by CL 538056

@bcmills
Copy link
Contributor

bcmills commented Oct 30, 2023

@golang/release, should there be a step in the security release process to update the // tagx:ignore dependencies in subrepos?

@gcstang
Copy link

gcstang commented Feb 9, 2024

this still seems to be an issue is there any timeline to fix?
Applications using golang.org/x/crypto are being flagged as security issue due to crypto using an old version of golang.org/x/net:v0.10.0

CVE-2023-44487
CVE-2023-3978

@panagiotis-bitharis
Copy link

Nessus scan flags it as security issue
CVE-2023-45288

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@gcstang @bcmills @gopherbot @mauri870 @rjboer @panagiotis-bitharis