Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: vulncheck should not surface vulnerabilities in fixed version #55046

Closed
tatianab opened this issue Sep 13, 2022 · 1 comment
Closed

x/vuln: vulncheck should not surface vulnerabilities in fixed version #55046

tatianab opened this issue Sep 13, 2022 · 1 comment
Assignees
@zpavlinovic
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Milestone
Unreleased

Comments

@tatianab
Copy link

Moved from golang/vulndb#991 (reported by @dev-gto):

Hi, while running the latest govulncheck

go: downloading golang.org/x/vuln v0.0.0-20220912202342-0ed43f12cb05

on a system with golang 1.18.6, it is actually reporting the following

Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.

Call stacks in your code:

  {stripped line here} calls net/http.Server.Serve

Found in: net/http@go1.18.6
Fixed in: net/http@go1.19.1
More info: https://pkg.go.dev/vuln/GO-2022-0969
However, I believe that this vulnerability affects versions 1.18.5 (included) and below, as well as 1.19.0
Therefore, 1.18.6 should not be affected.
https://pkg.go.dev/vuln/GO-2022-0969
@tatianab tatianab added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 13, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 13, 2022
@tatianab tatianab mentioned this issue Sep 13, 2022
Closed
@vitaliyf vitaliyf mentioned this issue Sep 13, 2022
Closed
@julieqiu julieqiu removed the x/vuln label Sep 13, 2022
@zpavlinovic
Copy link
Contributor

This is tracked in #55035, so I will close it here for now.

@golang golang locked and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@zpavlinovic @julieqiu @tatianab @gopherbot