Giters

MichaelMure / git-bug

Distributed, offline-first bug tracker embedded in git, with bridges

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Critical security vulnerabilities in Go's standard library

smoyer64 opened this issue · comments

commented

Go v1.19.4 is required to resolve all the security vulnerabilities listed by govulncheck:

govulncheck ./... 
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 3 known vulnerabilities.

Vulnerability #1: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      commands/webui.go:194:26: github.com/MichaelMure/git-bug/commands.runWebUI calls net/http.Server.ListenAndServe

  Found in: net/http@go1.18.6
  Fixed in: net/http@go1.19.4
  More info: https://pkg.go.dev/vuln/GO-2022-1144

Vulnerability #2: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      commands/webui.go:194:26: github.com/MichaelMure/git-bug/commands.runWebUI calls net/http.Server.ListenAndServe

  Found in: net/http@go1.18.6
  Fixed in: net/http@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      repository/index_bleve.go:115:28: github.com/MichaelMure/git-bug/repository.bleveIndex.Search calls github.com/blevesearch/bleve.indexImpl.Search, which eventually calls regexp/syntax.Parse

  Found in: regexp/syntax@go1.18.6
  Fixed in: regexp/syntax@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1039

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/url@go1.18.6
  Fixed in: net/url@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0988