x/crypto: CVE-2023-39325 #65407

phillipsj · 2024-01-31T16:30:45Z

Go version

golang:1.20 container

Output of `go env` in your module/workspace:

NA

What did you do?

Installed a module that uses x/crypto 0.18.0, which uses x/net 0.10.0.

What did you see happen?

This was flagged for this CVE because of the older version of x/net used by x/crypto.

What did you expect to see?

I would expect x/crypto to being using a fixed version of x/net 0.17 or newer.

The text was updated successfully, but these errors were encountered:

mknyszek · 2024-01-31T16:56:33Z

CC @golang/security

rolandshoemaker · 2024-01-31T17:13:15Z

CVE-2023-39325 affects the HTTP/2 server, which is not used by x/crypto. We do not make unnecessary updates to modules to upgrade dependencies on modules which have vulnerabilities in code that is not used.

gopherbot added this to the Unreleased milestone Jan 31, 2024

mknyszek added Security NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jan 31, 2024

rolandshoemaker closed this as completed Jan 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/crypto: CVE-2023-39325 #65407

x/crypto: CVE-2023-39325 #65407

phillipsj commented Jan 31, 2024

mknyszek commented Jan 31, 2024

rolandshoemaker commented Jan 31, 2024

x/crypto: CVE-2023-39325 #65407

x/crypto: CVE-2023-39325 #65407

Comments

phillipsj commented Jan 31, 2024

Go version

Output of go env in your module/workspace:

What did you do?

What did you see happen?

What did you expect to see?

mknyszek commented Jan 31, 2024

rolandshoemaker commented Jan 31, 2024

Output of `go env` in your module/workspace: