all: use unprefixed SemVer 2.0.0 versions in reports
Standardize on the same version syntax as OSV: X.Y.Z, no "v" prefix.
Avoids confusion about what a "go"-prefixed version is: A tag (in
which case we need to support "go1.19rc1") or a weird semver version?
Fixes golang/go#52877.
Change-Id: I4053e765f93d8c20a890d5481d264f009831b5b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406155
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
diff --git a/internal/database/generate.go b/internal/database/generate.go
index 715f005..2aeaa9a 100644
--- a/internal/database/generate.go
+++ b/internal/database/generate.go
@@ -14,7 +14,6 @@
"path/filepath"
"strings"
- "golang.org/x/mod/semver"
"golang.org/x/vuln/client"
"golang.org/x/vuln/osv"
"golang.org/x/vulndb/internal/derrors"
@@ -206,12 +205,10 @@
}
for _, v := range versions {
if v.Introduced != "" {
- v.Introduced = canonicalizeSemverPrefix(v.Introduced)
- a.Events = append(a.Events, osv.RangeEvent{Introduced: removeSemverPrefix(semver.Canonical(v.Introduced))})
+ a.Events = append(a.Events, osv.RangeEvent{Introduced: v.Introduced.Canonical()})
}
if v.Fixed != "" {
- v.Fixed = canonicalizeSemverPrefix(v.Fixed)
- a.Events = append(a.Events, osv.RangeEvent{Fixed: removeSemverPrefix(semver.Canonical(v.Fixed))})
+ a.Events = append(a.Events, osv.RangeEvent{Fixed: v.Fixed.Canonical()})
}
}
return osv.Affects{a}
@@ -232,29 +229,3 @@
},
}
}
-
-// removeSemverPrefix removes the 'v' or 'go' prefixes from go-style
-// SEMVER strings, for usage in the public vulnerability format.
-func removeSemverPrefix(s string) string {
- s = strings.TrimPrefix(s, "v")
- s = strings.TrimPrefix(s, "go")
- return s
-}
-
-// canonicalizeSemverPrefix turns a SEMVER string into the canonical
-// representation using the 'v' prefix, as used by the OSV format.
-// Input may be a bare SEMVER ("1.2.3"), Go prefixed SEMVER ("go1.2.3"),
-// or already canonical SEMVER ("v1.2.3").
-func canonicalizeSemverPrefix(s string) string {
- return addSemverPrefix(removeSemverPrefix(s))
-}
-
-// addSemverPrefix adds a 'v' prefix to s if it isn't already prefixed
-// with 'v' or 'go'. This allows us to easily test go-style SEMVER
-// strings against normal SEMVER strings.
-func addSemverPrefix(s string) string {
- if !strings.HasPrefix(s, "v") && !strings.HasPrefix(s, "go") {
- return "v" + s
- }
- return s
-}
diff --git a/internal/database/generate_test.go b/internal/database/generate_test.go
index 86d0922..9206a7d 100644
--- a/internal/database/generate_test.go
+++ b/internal/database/generate_test.go
@@ -21,9 +21,9 @@
{
Module: "example.com/vulnerable/v2",
Versions: []report.VersionRange{
- {Fixed: "v2.1.1"},
- {Introduced: "v2.3.4", Fixed: "v2.3.5"},
- {Introduced: "v2.5.0"},
+ {Fixed: "2.1.1"},
+ {Introduced: "2.3.4", Fixed: "2.3.5"},
+ {Introduced: "2.5.0"},
},
Symbols: []string{"A", "B.b"},
DerivedSymbols: []string{"D"},
@@ -33,9 +33,9 @@
Package: "vanity.host/vulnerable/package",
Symbols: []string{"b", "A.b"},
Versions: []report.VersionRange{
- {Fixed: "v2.1.1"},
- {Introduced: "v2.3.4", Fixed: "v2.3.5"},
- {Introduced: "v2.5.0"},
+ {Fixed: "2.1.1"},
+ {Introduced: "2.3.4", Fixed: "2.3.5"},
+ {Introduced: "2.5.0"},
},
},
{
@@ -43,7 +43,7 @@
Package: "example.com/also-vulnerable/package",
Symbols: []string{"z"},
Versions: []report.VersionRange{
- {Fixed: "v2.1.1"},
+ {Fixed: "2.1.1"},
},
},
},
@@ -182,8 +182,8 @@
func TestSemverCanonicalize(t *testing.T) {
in := []report.VersionRange{
{
- Introduced: "go1.16",
- Fixed: "go1.17",
+ Introduced: "1.16.0",
+ Fixed: "1.17.0",
},
}
expected := osv.Affects{
diff --git a/internal/report/cve.go b/internal/report/cve.go
index 55890db..b92ee14 100644
--- a/internal/report/cve.go
+++ b/internal/report/cve.go
@@ -97,13 +97,13 @@
for _, vr := range versions {
if vr.Introduced != "" {
vd.Data = append(vd.Data, cveschema.VersionDataItem{
- VersionValue: vr.Introduced,
+ VersionValue: string(vr.Introduced),
VersionAffected: ">=",
})
}
if vr.Fixed != "" {
vd.Data = append(vd.Data, cveschema.VersionDataItem{
- VersionValue: vr.Fixed,
+ VersionValue: string(vr.Fixed),
VersionAffected: "<",
})
}
diff --git a/internal/report/ghsa.go b/internal/report/ghsa.go
index 1658a1e..c52c7c7 100644
--- a/internal/report/ghsa.go
+++ b/internal/report/ghsa.go
@@ -57,7 +57,7 @@
items, err := parseVulnRange(vulnRange)
if err != nil {
return []VersionRange{{
- Introduced: fmt.Sprintf("TODO (got error %q)", err),
+ Introduced: Version(fmt.Sprintf("TODO (got error %q)", err)),
}}
}
@@ -65,19 +65,19 @@
// Most common case: a single "<" item with a version that matches earliestFixed.
if len(items) == 1 && items[0].op == "<" && items[0].version == earliestFixed {
- intro = "v0.0.0"
- fixed = "v" + earliestFixed
+ intro = "0.0.0"
+ fixed = earliestFixed
}
// Two items, one >= and one <, with the latter matching earliestFixed.
if len(items) == 2 && items[0].op == ">=" && items[1].op == "<" && items[1].version == earliestFixed {
- intro = "v" + items[0].version
- fixed = "v" + earliestFixed
+ intro = items[0].version
+ fixed = earliestFixed
}
// A single "<=" item with no fixed version.
if len(items) == 1 && items[0].op == "<=" && earliestFixed == "" {
- intro = "v0.0.0"
+ intro = "0.0.0"
}
if intro == "" {
@@ -85,11 +85,11 @@
}
// Unset intro if vuln was always present.
- if intro == "v0.0.0" {
+ if intro == "0.0.0" {
intro = ""
}
- return []VersionRange{{Introduced: intro, Fixed: fixed}}
+ return []VersionRange{{Introduced: Version(intro), Fixed: Version(fixed)}}
}
type vulnRangeItem struct {
diff --git a/internal/report/ghsa_test.go b/internal/report/ghsa_test.go
index 13d0f57..ebe338a 100644
--- a/internal/report/ghsa_test.go
+++ b/internal/report/ghsa_test.go
@@ -32,7 +32,7 @@
Module: "aModule",
Package: "aPackage",
Versions: []VersionRange{
- {Fixed: "v1.2.3"},
+ {Fixed: "1.2.3"},
},
}},
LastModified: &updatedTime,
@@ -72,11 +72,11 @@
for _, test := range []struct {
earliestFixed string
vulnRange string
- intro, fixed string
+ intro, fixed Version
}{
- {"1.0.0", "< 1.0.0", "", "v1.0.0"},
+ {"1.0.0", "< 1.0.0", "", "1.0.0"},
{"", "<= 1.4.2", "", ""},
- {"1.1.3", ">= 1.1.0, < 1.1.3", "v1.1.0", "v1.1.3"},
+ {"1.1.3", ">= 1.1.0, < 1.1.3", "1.1.0", "1.1.3"},
{
"1.2.3", "<= 2.3.4",
`TODO (earliest fixed "1.2.3", vuln range "<= 2.3.4")`, "",
diff --git a/internal/report/lint.go b/internal/report/lint.go
index de5cbe1..cc37654 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -115,17 +115,17 @@
if err != nil {
return fmt.Errorf("unable to retrieve module versions from proxy: %s", err)
}
- checkVersion := func(version string) error {
- if !semver.IsValid(version) {
+ checkVersion := func(version Version) error {
+ if !version.IsValid() {
return errors.New("invalid module semver")
}
- if err := module.Check(path, version); err != nil {
+ if err := module.Check(path, version.V()); err != nil {
return err
}
- if err := versionExists(version, realVersions); err != nil {
+ if err := versionExists(version.V(), realVersions); err != nil {
return err
}
- canonicalPath, err := getCanonicalModName(path, version)
+ canonicalPath, err := getCanonicalModName(path, version.V())
if err != nil {
return err
}
@@ -181,7 +181,6 @@
addPkgIssue := func(iss string) {
issues = append(issues, fmt.Sprintf("packages[%v]: %v", i, iss))
}
- versions := p.Versions
if !stdlib.Contains(p.Module) {
if p.Module == "" {
addPkgIssue("missing module")
@@ -207,41 +206,26 @@
addPkgIssue(err.Error())
}
}
- for _, v := range p.Versions {
- if v.Introduced != "" && !semver.IsValid(v.Introduced) {
- addPkgIssue(fmt.Sprintf("invalid semantic version: %q", v.Introduced))
- }
- if v.Fixed != "" && !semver.IsValid(v.Fixed) {
- addPkgIssue(fmt.Sprintf("invalid semantic version: %q", v.Fixed))
- }
- }
} else {
if p.Package == "" {
addPkgIssue("missing package")
}
- versions = nil // replace with actual semver versions
- for _, v := range p.Versions {
- introduced := "v" + strings.TrimPrefix(v.Introduced, "go")
- fixed := "v" + strings.TrimPrefix(v.Fixed, "go")
- if v.Introduced != "" && (!strings.HasPrefix(v.Introduced, "go") || !semver.IsValid(introduced)) {
- addPkgIssue(fmt.Sprintf("invalid Go version: %q", v.Introduced))
- }
- if v.Fixed != "" && (!strings.HasPrefix(v.Fixed, "go") || !semver.IsValid(fixed)) {
- addPkgIssue(fmt.Sprintf("invalid Go version: %q", v.Fixed))
- }
- versions = append(versions, VersionRange{
- Introduced: introduced,
- Fixed: fixed,
- })
- }
}
- for i, v1 := range versions {
- if v1.Fixed != "" && semver.Compare(v1.Introduced, v1.Fixed) >= 0 {
+ for i, v1 := range p.Versions {
+ for _, v := range []Version{v1.Introduced, v1.Fixed} {
+ if v == "" {
+ continue
+ }
+ if !v.IsValid() {
+ addPkgIssue(fmt.Sprintf("invalid semantic version: %q", v))
+ }
+ }
+ if v1.Introduced != "" && v1.Fixed != "" && !v1.Introduced.Before(v1.Fixed) {
addPkgIssue(fmt.Sprintf("version %q >= %q", p.Versions[i].Introduced, p.Versions[i].Fixed))
continue
}
- for j, v2 := range versions[:i] {
- if semver.Compare(v1.Fixed, v2.Introduced) > 0 && semver.Compare(v1.Introduced, v2.Fixed) < 0 {
+ for j, v2 := range p.Versions[:i] {
+ if v2.Introduced.Before(v1.Fixed) && v1.Introduced.Before(v2.Fixed) {
addPkgIssue(fmt.Sprintf("version ranges overlap: [%v,%v), [%v,%v)", p.Versions[i].Introduced, p.Versions[i].Fixed, p.Versions[j].Introduced, p.Versions[j].Fixed))
}
}
@@ -291,6 +275,28 @@
for _, l := range r.Links.Context {
fixed = append(fixed, fixURL(l))
}
+ fixVersion := func(vp *Version) {
+ v := *vp
+ if v == "" {
+ return
+ }
+ v = Version(strings.TrimPrefix(string(v), "v"))
+ v = Version(strings.TrimPrefix(string(v), "go"))
+ if v.IsValid() {
+ build := semver.Build(v.V())
+ v = Version(v.Canonical())
+ if build != "" {
+ v += Version("+" + build)
+ }
+ }
+ *vp = v
+ }
+ for i, p := range r.Packages {
+ for j, _ := range p.Versions {
+ fixVersion(&r.Packages[i].Versions[j].Introduced)
+ fixVersion(&r.Packages[i].Versions[j].Fixed)
+ }
+ }
r.Links.Context = fixed
}
diff --git a/internal/report/lint_test.go b/internal/report/lint_test.go
index 8f045c2..43a858d 100644
--- a/internal/report/lint_test.go
+++ b/internal/report/lint_test.go
@@ -20,9 +20,9 @@
Module: "std",
Package: "time",
Versions: []VersionRange{{
- Fixed: "go1.2.1",
+ Fixed: "1.2.1",
}, {
- Fixed: "go1.3.2",
+ Fixed: "1.3.2",
}},
}},
},
@@ -33,12 +33,12 @@
Module: "std",
Package: "time",
Versions: []VersionRange{{
- Introduced: "go1.3",
- Fixed: "go1.2.1",
+ Introduced: "1.3",
+ Fixed: "1.2.1",
}},
}},
},
- want: []string{`version "go1.3" >= "go1.2.1"`},
+ want: []string{`version "1.3" >= "1.2.1"`},
}} {
got := test.report.Lint()
var missing []string
diff --git a/internal/report/report.go b/internal/report/report.go
index 6816b76..0e29d6f 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -13,13 +13,38 @@
"strings"
"time"
+ "golang.org/x/mod/semver"
"golang.org/x/vulndb/internal/derrors"
"gopkg.in/yaml.v3"
)
+// Version is an SemVer 2.0.0 semantic version with no leading "v" prefix,
+// as used by OSV.
+type Version string
+
+// V returns the version with a "v" prefix.
+func (v Version) V() string {
+ return "v" + string(v)
+}
+
+// IsValid reports whether v is a valid semantic version string.
+func (v Version) IsValid() bool {
+ return semver.IsValid(v.V())
+}
+
+// Before reports whether v < v2.
+func (v Version) Before(v2 Version) bool {
+ return semver.Compare(v.V(), v2.V()) < 0
+}
+
+// Canonical returns the canonical formatting of the version.
+func (v Version) Canonical() string {
+ return strings.TrimPrefix(semver.Canonical(v.V()), "v")
+}
+
type VersionRange struct {
- Introduced string `yaml:"introduced,omitempty"`
- Fixed string `yaml:"fixed,omitempty"`
+ Introduced Version `yaml:"introduced,omitempty"`
+ Fixed Version `yaml:"fixed,omitempty"`
}
type Package struct {
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index 51671d6..58c5335 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -275,7 +275,7 @@
packages:
- package: aPackage
versions:
- - fixed: v1.2.3
+ - fixed: 1.2.3
description: a description
ghsas:
- G1
diff --git a/reports/GO-2020-0001.yaml b/reports/GO-2020-0001.yaml
index c69d861..1bdba60 100644
--- a/reports/GO-2020-0001.yaml
+++ b/reports/GO-2020-0001.yaml
@@ -3,7 +3,7 @@
symbols:
- defaultLogFormatter
versions:
- - fixed: v1.6.0
+ - fixed: 1.6.0
description: |
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
diff --git a/reports/GO-2020-0002.yaml b/reports/GO-2020-0002.yaml
index 670eccc..c658ed4 100644
--- a/reports/GO-2020-0002.yaml
+++ b/reports/GO-2020-0002.yaml
@@ -1,7 +1,7 @@
packages:
- module: github.com/proglottis/gpgme
versions:
- - fixed: v0.1.1
+ - fixed: 0.1.1
description: |
The Data, Context, or Key finalizers might run during or before GPGME
operations. This will release the C structures that are still in use, leading
diff --git a/reports/GO-2020-0003.yaml b/reports/GO-2020-0003.yaml
index d673b4a..f9e70da 100644
--- a/reports/GO-2020-0003.yaml
+++ b/reports/GO-2020-0003.yaml
@@ -1,7 +1,7 @@
packages:
- module: github.com/revel/revel
versions:
- - fixed: v1.0.0
+ - fixed: 1.0.0
description: |
An attacker can cause an application that accepts slice parameters
(https://revel.github.io/manual/parameters.html#slices) to allocate large
diff --git a/reports/GO-2020-0004.yaml b/reports/GO-2020-0004.yaml
index 687f06b..32932b5 100644
--- a/reports/GO-2020-0004.yaml
+++ b/reports/GO-2020-0004.yaml
@@ -8,8 +8,8 @@
- ListenAndServe
- ListenAndServeTLS
versions:
- - introduced: v0.0.0-20160722212129-ac0cc4484ad4
- fixed: v0.0.0-20200131131040-063a3fb69896
+ - introduced: 0.0.0-20160722212129-ac0cc4484ad4
+ fixed: 0.0.0-20200131131040-063a3fb69896
description: |
If any of the ListenAndServe functions are called with an empty token,
token authentication is disabled globally for all listeners.
diff --git a/reports/GO-2020-0005.yaml b/reports/GO-2020-0005.yaml
index 8899eca..60548c7 100644
--- a/reports/GO-2020-0005.yaml
+++ b/reports/GO-2020-0005.yaml
@@ -5,7 +5,7 @@
- WAL.ReadAll
- decoder.decodeRecord
versions:
- - fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
+ - fixed: 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
description: |
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
out of bounds reads, or creation of arbitrarily sized slices, which may be used as
diff --git a/reports/GO-2020-0006.yaml b/reports/GO-2020-0006.yaml
index 30702b0..a87a0de 100644
--- a/reports/GO-2020-0006.yaml
+++ b/reports/GO-2020-0006.yaml
@@ -9,7 +9,7 @@
- Server.ActivateAndServe
- Server.ListenAndServe
versions:
- - fixed: v1.0.4-0.20180125103619-43913f2f4fbd
+ - fixed: 1.0.4-0.20180125103619-43913f2f4fbd
description: |
An attacker may prevent TCP connections to a Server by opening
a connection and leaving it idle, until the connection is closed by
diff --git a/reports/GO-2020-0007.yaml b/reports/GO-2020-0007.yaml
index ff72395..b03ce71 100644
--- a/reports/GO-2020-0007.yaml
+++ b/reports/GO-2020-0007.yaml
@@ -8,7 +8,7 @@
- ScmpFilter.AddRuleConditionalExact
- ScmpFilter.AddRuleExact
versions:
- - fixed: v0.9.1-0.20170424173420-06e7a29f36a3
+ - fixed: 0.9.1-0.20170424173420-06e7a29f36a3
description: |
Filters containing rules with multiple syscall arguments are improperly
constructed, such that all arguments are required to match rather than
diff --git a/reports/GO-2020-0008.yaml b/reports/GO-2020-0008.yaml
index 03107c0..e0e59dd 100644
--- a/reports/GO-2020-0008.yaml
+++ b/reports/GO-2020-0008.yaml
@@ -9,7 +9,7 @@
- Msg.SetQuestion
- Msg.SetUpdate
versions:
- - fixed: v1.1.25-0.20191211073109-8ebf2e419df7
+ - fixed: 1.1.25-0.20191211073109-8ebf2e419df7
description: |
DNS message transaction IDs are generated using math/rand which
makes them relatively predictable. This reduces the complexity
diff --git a/reports/GO-2020-0009.yaml b/reports/GO-2020-0009.yaml
index d2f4cab..b7a60b1 100644
--- a/reports/GO-2020-0009.yaml
+++ b/reports/GO-2020-0009.yaml
@@ -4,7 +4,7 @@
symbols:
- cbcAEAD.computeAuthTag
versions:
- - fixed: v0.0.0-20160903044734-789a4c4bd4c1
+ - fixed: 0.0.0-20160903044734-789a4c4bd4c1
- module: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
diff --git a/reports/GO-2020-0010.yaml b/reports/GO-2020-0010.yaml
index b00ab4f..82c14cf 100644
--- a/reports/GO-2020-0010.yaml
+++ b/reports/GO-2020-0010.yaml
@@ -6,7 +6,7 @@
- ecDecrypterSigner.decryptKey
- rawJsonWebKey.ecPublicKey
versions:
- - fixed: v0.0.0-20160831185616-c7581939a365
+ - fixed: 0.0.0-20160831185616-c7581939a365
- module: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
diff --git a/reports/GO-2020-0011.yaml b/reports/GO-2020-0011.yaml
index 00bfbcf..d9687db 100644
--- a/reports/GO-2020-0011.yaml
+++ b/reports/GO-2020-0011.yaml
@@ -4,7 +4,7 @@
- JsonWebEncryption.Decrypt
- JsonWebSignature.Verify
versions:
- - fixed: v0.0.0-20160922232413-2c5656adca99
+ - fixed: 0.0.0-20160922232413-2c5656adca99
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
diff --git a/reports/GO-2020-0012.yaml b/reports/GO-2020-0012.yaml
index 5810e6c..ec4bea3 100644
--- a/reports/GO-2020-0012.yaml
+++ b/reports/GO-2020-0012.yaml
@@ -8,7 +8,7 @@
- skEd25519PublicKey.Verify
- NewPublicKey
versions:
- - fixed: v0.0.0-20200220183623-bac4c82f6975
+ - fixed: 0.0.0-20200220183623-bac4c82f6975
description: |
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
key, such that the library will panic when trying to verify a signature
diff --git a/reports/GO-2020-0013.yaml b/reports/GO-2020-0013.yaml
index ae9a823..756e18d 100644
--- a/reports/GO-2020-0013.yaml
+++ b/reports/GO-2020-0013.yaml
@@ -4,7 +4,7 @@
symbols:
- NewClientConn
versions:
- - fixed: v0.0.0-20170330155735-e4e2799dd7aa
+ - fixed: 0.0.0-20170330155735-e4e2799dd7aa
description: |
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
diff --git a/reports/GO-2020-0014.yaml b/reports/GO-2020-0014.yaml
index eb13d8a..189016d 100644
--- a/reports/GO-2020-0014.yaml
+++ b/reports/GO-2020-0014.yaml
@@ -5,7 +5,7 @@
- inSelectIM
- inSelectInTableIM
versions:
- - fixed: v0.0.0-20190125091013-d26f9f9a57f3
+ - fixed: 0.0.0-20190125091013-d26f9f9a57f3
description: |
html.Parse does not properly handle "select" tags, which can lead
to an infinite loop. If parsing user supplied input, this may be used
diff --git a/reports/GO-2020-0015.yaml b/reports/GO-2020-0015.yaml
index d7e33b4..8a3cd18 100644
--- a/reports/GO-2020-0015.yaml
+++ b/reports/GO-2020-0015.yaml
@@ -6,13 +6,13 @@
derived_symbols:
- bomOverride.Transform
versions:
- - fixed: v0.3.3
+ - fixed: 0.3.3
- module: golang.org/x/text
package: golang.org/x/text/transform
symbols:
- Transform
versions:
- - fixed: v0.3.3
+ - fixed: 0.3.3
description: |
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
diff --git a/reports/GO-2020-0016.yaml b/reports/GO-2020-0016.yaml
index 7bac4d3..62308ae 100644
--- a/reports/GO-2020-0016.yaml
+++ b/reports/GO-2020-0016.yaml
@@ -7,7 +7,7 @@
- blockHeader.UnmarshalBinary
- streamReader.Read
versions:
- - fixed: v0.5.8
+ - fixed: 0.5.8
description: |
An attacker can construct a series of bytes such that calling
Reader.Read on the bytes could cause an infinite loop. If
diff --git a/reports/GO-2020-0017.yaml b/reports/GO-2020-0017.yaml
index 36d94d9..c5a731e 100644
--- a/reports/GO-2020-0017.yaml
+++ b/reports/GO-2020-0017.yaml
@@ -3,12 +3,12 @@
symbols:
- MapClaims.VerifyAudience
versions:
- - introduced: v0.0.0-20150717181359-44718f8a89b0
+ - introduced: 0.0.0-20150717181359-44718f8a89b0
- module: github.com/dgrijalva/jwt-go/v4
symbols:
- MapClaims.VerifyAudience
versions:
- - fixed: v4.0.0-preview1
+ - fixed: 4.0.0-preview1
description: |
If a JWT contains an audience claim with an array of strings, rather
than a single string, and MapClaims.VerifyAudience is called with
diff --git a/reports/GO-2020-0018.yaml b/reports/GO-2020-0018.yaml
index e811da9..b168122 100644
--- a/reports/GO-2020-0018.yaml
+++ b/reports/GO-2020-0018.yaml
@@ -10,7 +10,7 @@
- init
- safeRandom
versions:
- - fixed: v1.2.1-0.20181016170032-d91630c85102
+ - fixed: 1.2.1-0.20181016170032-d91630c85102
description: |
UUIDs generated using NewV1 and NewV4 may not read the expected
number of random bytes. These UUIDs may contain a significantly smaller
diff --git a/reports/GO-2020-0019.yaml b/reports/GO-2020-0019.yaml
index 59a4d82..403c2e7 100644
--- a/reports/GO-2020-0019.yaml
+++ b/reports/GO-2020-0019.yaml
@@ -25,7 +25,7 @@
- proxy_envOnce.Get
- proxy_socks5.Dial
versions:
- - fixed: v1.4.1
+ - fixed: 1.4.1
description: |
An attacker can craft malicious WebSocket frames that cause an integer
overflow in a variable which tracks the number of bytes remaining. This
diff --git a/reports/GO-2020-0020.yaml b/reports/GO-2020-0020.yaml
index 3421f92..c9865e9 100644
--- a/reports/GO-2020-0020.yaml
+++ b/reports/GO-2020-0020.yaml
@@ -3,7 +3,7 @@
symbols:
- cors.ServeHTTP
versions:
- - fixed: v1.3.0
+ - fixed: 1.3.0
description: |
Usage of the CORS handler may apply improper CORS headers, allowing
the requester to explicitly control the value of the Access-Control-Allow-Origin
diff --git a/reports/GO-2020-0021.yaml b/reports/GO-2020-0021.yaml
index f62017e..9158517 100644
--- a/reports/GO-2020-0021.yaml
+++ b/reports/GO-2020-0021.yaml
@@ -5,7 +5,7 @@
- SearchRepositoryByName
- SearchUserByName
versions:
- - fixed: v0.5.8
+ - fixed: 0.5.8
description: |
Due to improper santization of user input, a number of methods are
vulnerable to SQL injection if used with user input that has not
diff --git a/reports/GO-2020-0022.yaml b/reports/GO-2020-0022.yaml
index 6661c8d..ba0056b 100644
--- a/reports/GO-2020-0022.yaml
+++ b/reports/GO-2020-0022.yaml
@@ -3,7 +3,7 @@
symbols:
- Uncompress
versions:
- - fixed: v0.0.0-20140711154735-199f5f787806
+ - fixed: 0.0.0-20140711154735-199f5f787806
description: |
LZ4 bindings use a deprecated C API that is vulnerable to
memory corruption, which could lead to arbitrary code execution
diff --git a/reports/GO-2020-0023.yaml b/reports/GO-2020-0023.yaml
index d514889..3992e0a 100644
--- a/reports/GO-2020-0023.yaml
+++ b/reports/GO-2020-0023.yaml
@@ -3,7 +3,7 @@
symbols:
- Algorithm.validateSignature
versions:
- - fixed: v0.0.0-20170426191122-ca1404ee6e83
+ - fixed: 0.0.0-20170426191122-ca1404ee6e83
description: |
Token validation methods are susceptible to a timing side-channel
during HMAC comparison. With a large enough number of requests
diff --git a/reports/GO-2020-0024.yaml b/reports/GO-2020-0024.yaml
index 5e0fa44..3c12129 100644
--- a/reports/GO-2020-0024.yaml
+++ b/reports/GO-2020-0024.yaml
@@ -5,14 +5,14 @@
- proxiedConn.LocalAddr
- proxiedConn.RemoteAddr
versions:
- - fixed: v0.0.0-20130808000456-233bccbb1abe
+ - fixed: 0.0.0-20130808000456-233bccbb1abe
- module: github.com/btcsuitereleases/go-socks
package: github.com/btcsuitereleases/go-socks/socks
symbols:
- proxiedConn.LocalAddr
- proxiedConn.RemoteAddr
versions:
- - fixed: v0.0.0-20130808000456-233bccbb1abe
+ - fixed: 0.0.0-20130808000456-233bccbb1abe
description: |
The RemoteAddr and LocalAddr methods on the returned net.Conn may
call themselves, leading to an infinite loop which will crash the
diff --git a/reports/GO-2020-0025.yaml b/reports/GO-2020-0025.yaml
index 6545ea1..f6426d5 100644
--- a/reports/GO-2020-0025.yaml
+++ b/reports/GO-2020-0025.yaml
@@ -4,13 +4,13 @@
- tgzExtractor.Extract
- zipExtractor.Extract
versions:
- - fixed: v0.0.0-20180523222229-09b5706aa936
+ - fixed: 0.0.0-20180523222229-09b5706aa936
- module: code.cloudfoundry.org/archiver
symbols:
- tgzExtractor.Extract
- zipExtractor.Extract
versions:
- - fixed: v0.0.0-20180523222229-09b5706aa936
+ - fixed: 0.0.0-20180523222229-09b5706aa936
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0026.yaml b/reports/GO-2020-0026.yaml
index 389c13a..02e53f7 100644
--- a/reports/GO-2020-0026.yaml
+++ b/reports/GO-2020-0026.yaml
@@ -9,7 +9,7 @@
- stiTar.ExtractTarStream
- stiTar.ExtractTarStreamWithLogging
versions:
- - fixed: v1.1.10-0.20180427153919-f5cbcbc5cc6f
+ - fixed: 1.1.10-0.20180427153919-f5cbcbc5cc6f
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0027.yaml b/reports/GO-2020-0027.yaml
index bfff53e..81d8140 100644
--- a/reports/GO-2020-0027.yaml
+++ b/reports/GO-2020-0027.yaml
@@ -6,7 +6,7 @@
- SetProcessPrivileges
- Handle.StopAsPamUser
versions:
- - fixed: v0.2.4
+ - fixed: 0.2.4
- module: github.com/google/fscrypt
package: github.com/google/fscrypt/security
symbols:
diff --git a/reports/GO-2020-0028.yaml b/reports/GO-2020-0028.yaml
index e6e2704..12484cf 100644
--- a/reports/GO-2020-0028.yaml
+++ b/reports/GO-2020-0028.yaml
@@ -6,7 +6,7 @@
- ParseZone
- ReadRR
versions:
- - fixed: v1.0.10
+ - fixed: 1.0.10
description: |
Due to a nil pointer dereference, parsing a malformed zone file
containing TA records may cause a panic. If parsing user supplied
diff --git a/reports/GO-2020-0029.yaml b/reports/GO-2020-0029.yaml
index 6498f9b..9194bdc 100644
--- a/reports/GO-2020-0029.yaml
+++ b/reports/GO-2020-0029.yaml
@@ -3,7 +3,7 @@
symbols:
- Context.ClientIP
versions:
- - fixed: v0.0.0-20141229113116-0099840c98ae
+ - fixed: 0.0.0-20141229113116-0099840c98ae
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
diff --git a/reports/GO-2020-0031.yaml b/reports/GO-2020-0031.yaml
index 859b5b9..b3ebb00 100644
--- a/reports/GO-2020-0031.yaml
+++ b/reports/GO-2020-0031.yaml
@@ -1,7 +1,7 @@
packages:
- module: github.com/proglottis/gpgme
versions:
- - fixed: v0.1.1
+ - fixed: 0.1.1
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/reports/GO-2020-0032.yaml b/reports/GO-2020-0032.yaml
index 7b0f261..17a85fd 100644
--- a/reports/GO-2020-0032.yaml
+++ b/reports/GO-2020-0032.yaml
@@ -3,17 +3,17 @@
symbols:
- Controller.FileHandler
versions:
- - fixed: v1.4.3
+ - fixed: 1.4.3
- module: goa.design/goa
symbols:
- Controller.FileHandler
versions:
- - fixed: v1.4.3
+ - fixed: 1.4.3
- module: goa.design/goa/v3
symbols:
- Controller.FileHandler
versions:
- - fixed: v3.0.9
+ - fixed: 3.0.9
description: |
Due to improper santization of user input, Controller.FileHandler allows
for directory traversal, allowing an attacker to read files outside of
diff --git a/reports/GO-2020-0033.yaml b/reports/GO-2020-0033.yaml
index 1259941..44c259f 100644
--- a/reports/GO-2020-0033.yaml
+++ b/reports/GO-2020-0033.yaml
@@ -7,7 +7,7 @@
- Application.ServeHTTP
- Application.Start
versions:
- - fixed: v0.12.4
+ - fixed: 0.12.4
description: |
Due to improper santization of user input, HTTPEngine.Handle allows
for directory traversal, allowing an attacker to read files outside of
diff --git a/reports/GO-2020-0034.yaml b/reports/GO-2020-0034.yaml
index 504274e..80dd71d 100644
--- a/reports/GO-2020-0034.yaml
+++ b/reports/GO-2020-0034.yaml
@@ -3,7 +3,7 @@
symbols:
- Unzip.Extract
versions:
- - fixed: v1.0.0
+ - fixed: 1.0.0
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0035.yaml b/reports/GO-2020-0035.yaml
index 077e386..e098875 100644
--- a/reports/GO-2020-0035.yaml
+++ b/reports/GO-2020-0035.yaml
@@ -3,7 +3,7 @@
symbols:
- Unzip.Extract
versions:
- - fixed: v1.0.3-0.20200308084313-2adbaa4891b9
+ - fixed: 1.0.3-0.20200308084313-2adbaa4891b9
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0036.yaml b/reports/GO-2020-0036.yaml
index 2b99922..6c20348 100644
--- a/reports/GO-2020-0036.yaml
+++ b/reports/GO-2020-0036.yaml
@@ -7,7 +7,7 @@
- Unmarshal
- UnmarshalStrict
versions:
- - fixed: v2.2.8
+ - fixed: 2.2.8
- module: github.com/go-yaml/yaml
symbols:
- yaml_parser_fetch_more_tokens
diff --git a/reports/GO-2020-0037.yaml b/reports/GO-2020-0037.yaml
index 6e031a8..56edd79 100644
--- a/reports/GO-2020-0037.yaml
+++ b/reports/GO-2020-0037.yaml
@@ -4,7 +4,7 @@
symbols:
- makeHTTPClient
versions:
- - fixed: v0.31.1
+ - fixed: 0.31.1
description: |
Due to support of Gzip compression in request bodies, as well
as a lack of limiting response body sizes, a malicious server
diff --git a/reports/GO-2020-0038.yaml b/reports/GO-2020-0038.yaml
index 2657b5b..1261f53 100644
--- a/reports/GO-2020-0038.yaml
+++ b/reports/GO-2020-0038.yaml
@@ -9,7 +9,7 @@
- Resume
- Server
versions:
- - fixed: v1.5.2
+ - fixed: 1.5.2
description: |
Due to improper verification of packets, unencrypted packets containing
application data are accepted after the initial handshake. This allows
diff --git a/reports/GO-2020-0039.yaml b/reports/GO-2020-0039.yaml
index 493a4a5..cdb508d 100644
--- a/reports/GO-2020-0039.yaml
+++ b/reports/GO-2020-0039.yaml
@@ -9,7 +9,7 @@
- Macaron.ServeHTTP
- Router.ServeHTTP
versions:
- - fixed: v1.3.7
+ - fixed: 1.3.7
description: |
Due to improper request santization, a specifically crafted URL
can cause the static file handler to redirect to an attacker chosen
diff --git a/reports/GO-2020-0041.yaml b/reports/GO-2020-0041.yaml
index 8c63c94..69fb93f 100644
--- a/reports/GO-2020-0041.yaml
+++ b/reports/GO-2020-0041.yaml
@@ -14,7 +14,7 @@
- TzArchive.Flush
- TzArchive.Open
versions:
- - fixed: v1.0.1
+ - fixed: 1.0.1
- module: github.com/unknwon/cae
package: github.com/unknwon/cae/zip
symbols:
@@ -30,7 +30,7 @@
- ZipArchive.ExtractTo
- ZipArchive.Flush
versions:
- - fixed: v1.0.1
+ - fixed: 1.0.1
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0042.yaml b/reports/GO-2020-0042.yaml
index a2a2acb..38063a3 100644
--- a/reports/GO-2020-0042.yaml
+++ b/reports/GO-2020-0042.yaml
@@ -4,7 +4,7 @@
symbols:
- Extract
versions:
- - fixed: v0.1.0
+ - fixed: 0.1.0
description: |
Due to improper path santization, RPMs containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2020-0043.yaml b/reports/GO-2020-0043.yaml
index b27eb18..bed8969 100644
--- a/reports/GO-2020-0043.yaml
+++ b/reports/GO-2020-0043.yaml
@@ -6,7 +6,7 @@
- Server.serveHTTP
- assertConfigsCompatible
versions:
- - fixed: v0.10.13
+ - fixed: 0.10.13
description: |
Due to improper TLS verification when serving traffic for multiple
SNIs, an attacker may bypass TLS client authentication by indicating
diff --git a/reports/GO-2020-0045.yaml b/reports/GO-2020-0045.yaml
index 2103cb6..68958a8 100644
--- a/reports/GO-2020-0045.yaml
+++ b/reports/GO-2020-0045.yaml
@@ -6,7 +6,7 @@
- Context.Render
- Context.RenderFromString
versions:
- - fixed: v0.3.0
+ - fixed: 0.3.0
description: |
CSRF tokens are generated using math/rand, which is not a cryptographically secure
rander number generation, making predicting their values relatively trivial and
diff --git a/reports/GO-2020-0046.yaml b/reports/GO-2020-0046.yaml
index 1e98f38..846f45e 100644
--- a/reports/GO-2020-0046.yaml
+++ b/reports/GO-2020-0046.yaml
@@ -3,7 +3,7 @@
symbols:
- ValidationContext.validateSignature
versions:
- - fixed: v1.1.0
+ - fixed: 1.1.0
- module: github.com/russellhaering/gosaml2
symbols:
- SAMLServiceProvider.validateAssertionSignatures
@@ -11,7 +11,7 @@
- SAMLServiceProvider.RetrieveAssertionInfo
- SAMLServiceProvider.ValidateEncodedResponse
versions:
- - fixed: v0.6.0
+ - fixed: 0.6.0
description: |
Due to a nil pointer dereference, a malformed XML Digital Signature
can cause a panic during validation. If user supplied signatures are
diff --git a/reports/GO-2020-0048.yaml b/reports/GO-2020-0048.yaml
index 6bbcfb6..eda959e 100644
--- a/reports/GO-2020-0048.yaml
+++ b/reports/GO-2020-0048.yaml
@@ -3,7 +3,7 @@
symbols:
- LoadURL
versions:
- - fixed: v1.3.1
+ - fixed: 1.3.1
description: |
LoadURL does not check the Content-Type of loaded resources,
which can cause a panic due to nil pointer deference if the loaded
diff --git a/reports/GO-2020-0049.yaml b/reports/GO-2020-0049.yaml
index 33c0eb7..6bd6c71 100644
--- a/reports/GO-2020-0049.yaml
+++ b/reports/GO-2020-0049.yaml
@@ -6,7 +6,7 @@
derived_symbols:
- CSRFHandler.ServeHTTP
versions:
- - fixed: v1.1.1
+ - fixed: 1.1.1
description: |
Due to improper validation of caller input, validation is silently disabled
if the provided expected token is malformed, causing any user supplied token
diff --git a/reports/GO-2020-0050.yaml b/reports/GO-2020-0050.yaml
index af36911..888a561 100644
--- a/reports/GO-2020-0050.yaml
+++ b/reports/GO-2020-0050.yaml
@@ -3,7 +3,7 @@
symbols:
- ValidationContext.findSignature
versions:
- - fixed: v1.1.0
+ - fixed: 1.1.0
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/reports/GO-2021-0051.yaml b/reports/GO-2021-0051.yaml
index b48ccf7..77acc6c 100644
--- a/reports/GO-2021-0051.yaml
+++ b/reports/GO-2021-0051.yaml
@@ -3,7 +3,7 @@
symbols:
- common.static
versions:
- - fixed: v4.1.18-0.20201215153152-4422e3b66b9f
+ - fixed: 4.1.18-0.20201215153152-4422e3b66b9f
description: |
Due to improper sanitization of user input on Windows, the static file handler
allows for directory traversal, allowing an attacker to read files outside of
diff --git a/reports/GO-2021-0052.yaml b/reports/GO-2021-0052.yaml
index 4901289..20b62f1 100644
--- a/reports/GO-2021-0052.yaml
+++ b/reports/GO-2021-0052.yaml
@@ -3,7 +3,7 @@
symbols:
- Context.ClientIP
versions:
- - fixed: v1.6.3-0.20210406033725-bfc8ca285eb4
+ - fixed: 1.6.3-0.20210406033725-bfc8ca285eb4
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
diff --git a/reports/GO-2021-0053.yaml b/reports/GO-2021-0053.yaml
index b8ae5b7..b424d26 100644
--- a/reports/GO-2021-0053.yaml
+++ b/reports/GO-2021-0053.yaml
@@ -1,7 +1,7 @@
packages:
- module: github.com/gogo/protobuf
versions:
- - fixed: v1.3.2
+ - fixed: 1.3.2
description: |
Due to improper bounds checking, maliciously crafted input to generated
Unmarshal methods can cause an out-of-bounds panic. If parsing messages
diff --git a/reports/GO-2021-0054.yaml b/reports/GO-2021-0054.yaml
index bb5a8fd..f1e8771 100644
--- a/reports/GO-2021-0054.yaml
+++ b/reports/GO-2021-0054.yaml
@@ -5,7 +5,7 @@
derived_symbols:
- Result.ForEach
versions:
- - fixed: v1.6.6
+ - fixed: 1.6.6
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/reports/GO-2021-0056.yaml b/reports/GO-2021-0056.yaml
index 8cc1989..b9f93e4 100644
--- a/reports/GO-2021-0056.yaml
+++ b/reports/GO-2021-0056.yaml
@@ -4,7 +4,7 @@
symbols:
- provider.HandlePOST
versions:
- - fixed: v0.0.0-20201214082111-324b1c886b40
+ - fixed: 0.0.0-20201214082111-324b1c886b40
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/reports/GO-2021-0057.yaml b/reports/GO-2021-0057.yaml
index 5b29316..4d0ae64 100644
--- a/reports/GO-2021-0057.yaml
+++ b/reports/GO-2021-0057.yaml
@@ -24,7 +24,7 @@
- ObjectEach
- Set
versions:
- - fixed: v1.1.1
+ - fixed: 1.1.1
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/reports/GO-2021-0058.yaml b/reports/GO-2021-0058.yaml
index 64a18d5..30912a4 100644
--- a/reports/GO-2021-0058.yaml
+++ b/reports/GO-2021-0058.yaml
@@ -10,15 +10,15 @@
- ServiceProvider.ParseResponse
- ServiceProvider.ValidateLogoutResponseRequest
versions:
- - fixed: v0.4.3
+ - fixed: 0.4.3
- module: github.com/crewjam/saml
package: github.com/crewjam/saml/samlidp
versions:
- - fixed: v0.4.3
+ - fixed: 0.4.3
- module: github.com/crewjam/saml
package: github.com/crewjam/saml/samlsp
versions:
- - fixed: v0.4.3
+ - fixed: 0.4.3
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/reports/GO-2021-0059.yaml b/reports/GO-2021-0059.yaml
index 01c0f50..5ed5225 100644
--- a/reports/GO-2021-0059.yaml
+++ b/reports/GO-2021-0059.yaml
@@ -3,7 +3,7 @@
symbols:
- sqaush
versions:
- - fixed: v1.6.4
+ - fixed: 1.6.4
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/reports/GO-2021-0060.yaml b/reports/GO-2021-0060.yaml
index f09b5bb..2d61ee7 100644
--- a/reports/GO-2021-0060.yaml
+++ b/reports/GO-2021-0060.yaml
@@ -8,7 +8,7 @@
- SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
- SAMLServiceProvider.ValidateEncodedResponse
versions:
- - fixed: v0.6.0
+ - fixed: 0.6.0
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/reports/GO-2021-0061.yaml b/reports/GO-2021-0061.yaml
index 7391528..b113adc 100644
--- a/reports/GO-2021-0061.yaml
+++ b/reports/GO-2021-0061.yaml
@@ -7,7 +7,7 @@
- Unmarshal
- UnmarshalStrict
versions:
- - fixed: v2.2.3
+ - fixed: 2.2.3
- module: github.com/go-yaml/yaml
symbols:
- decoder.unmarshal
diff --git a/reports/GO-2021-0063.yaml b/reports/GO-2021-0063.yaml
index d39b7f0..618b6a1 100644
--- a/reports/GO-2021-0063.yaml
+++ b/reports/GO-2021-0063.yaml
@@ -6,7 +6,7 @@
derived_symbols:
- PrivateLightServerAPI.Benchmark
versions:
- - fixed: v1.9.25
+ - fixed: 1.9.25
description: |
Due to a nil pointer dereference, a malicously crafted RPC message
can cause a panic. If handling RPC messages from untrusted clients,
diff --git a/reports/GO-2021-0064.yaml b/reports/GO-2021-0064.yaml
index a3c01fb..094502a 100644
--- a/reports/GO-2021-0064.yaml
+++ b/reports/GO-2021-0064.yaml
@@ -4,13 +4,13 @@
symbols:
- requestInfo.toCurl
versions:
- - fixed: v0.20.0-alpha.2
+ - fixed: 0.20.0-alpha.2
- module: k8s.io/kubernetes
package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
versions:
- - fixed: v1.20.0-alpha.2
+ - fixed: 1.20.0-alpha.2
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/reports/GO-2021-0065.yaml b/reports/GO-2021-0065.yaml
index 34e20ba..d587e0b 100644
--- a/reports/GO-2021-0065.yaml
+++ b/reports/GO-2021-0065.yaml
@@ -4,13 +4,13 @@
symbols:
- debuggingRoundTripper.RoundTrip
versions:
- - fixed: v0.17.0
+ - fixed: 0.17.0
- module: k8s.io/kubernetes
package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- debuggingRoundTripper.RoundTrip
versions:
- - fixed: v1.16.0-beta.1
+ - fixed: 1.16.0-beta.1
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/reports/GO-2021-0066.yaml b/reports/GO-2021-0066.yaml
index e8a84d3..2dd8805 100644
--- a/reports/GO-2021-0066.yaml
+++ b/reports/GO-2021-0066.yaml
@@ -5,7 +5,7 @@
- readDockerConfigFileFromBytes
- readDockerConfigJSONFileFromBytes
versions:
- - fixed: v1.20.0-alpha.1
+ - fixed: 1.20.0-alpha.1
description: |
Attempting to read a malformed .dockercfg may cause secrets to be
inappropriately logged.
diff --git a/reports/GO-2021-0067.yaml b/reports/GO-2021-0067.yaml
index 82eaf03..3fd7d9a 100644
--- a/reports/GO-2021-0067.yaml
+++ b/reports/GO-2021-0067.yaml
@@ -4,8 +4,8 @@
symbols:
- toValidName
versions:
- - introduced: go1.16
- fixed: go1.16.1
+ - introduced: 1.16.0
+ fixed: 1.16.1
description: |
Using Reader.Open on an archive containing a file with a path
prefixed by "../" will cause a panic due to a stack overflow.
diff --git a/reports/GO-2021-0068.yaml b/reports/GO-2021-0068.yaml
index e0632c7..822af93 100644
--- a/reports/GO-2021-0068.yaml
+++ b/reports/GO-2021-0068.yaml
@@ -3,9 +3,9 @@
- module: std
package: cmd/go
versions:
- - fixed: go1.14.14
- - introduced: go1.15.0
- fixed: go1.15.7
+ - fixed: 1.14.14
+ - introduced: 1.15.0
+ fixed: 1.15.7
description: |
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
diff --git a/reports/GO-2021-0069.yaml b/reports/GO-2021-0069.yaml
index dc8453f..2998cd1 100644
--- a/reports/GO-2021-0069.yaml
+++ b/reports/GO-2021-0069.yaml
@@ -4,10 +4,10 @@
symbols:
- nat.divRecursiveStep
versions:
- - introduced: go1.14
- fixed: go1.14.12
- - introduced: go1.15
- fixed: go1.15.5
+ - introduced: 1.14.0
+ fixed: 1.14.12
+ - introduced: 1.15.0
+ fixed: 1.15.5
description: |
A number of math/big.Int methods can panic when provided large inputs due
to a flawed division method.
diff --git a/reports/GO-2021-0070.yaml b/reports/GO-2021-0070.yaml
index 097face..0b5c5c1 100644
--- a/reports/GO-2021-0070.yaml
+++ b/reports/GO-2021-0070.yaml
@@ -6,7 +6,7 @@
derived_symbols:
- GetExecUserPath
versions:
- - fixed: v0.1.0
+ - fixed: 0.1.0
description: |
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
improperly interpret numeric UIDs as usernames. If the method is used without
diff --git a/reports/GO-2021-0071.yaml b/reports/GO-2021-0071.yaml
index 0fc3c1d..621201c 100644
--- a/reports/GO-2021-0071.yaml
+++ b/reports/GO-2021-0071.yaml
@@ -4,7 +4,7 @@
symbols:
- IdmapSet.doUidshiftIntoContainer
versions:
- - fixed: v0.0.0-20151004155856-19c6961cc101
+ - fixed: 0.0.0-20151004155856-19c6961cc101
description: |
A race between chown and chmod operations during a container
filesystem shift may allow a user who can modify the filesystem to
diff --git a/reports/GO-2021-0072.yaml b/reports/GO-2021-0072.yaml
index e7f2af1..eb0f8fe 100644
--- a/reports/GO-2021-0072.yaml
+++ b/reports/GO-2021-0072.yaml
@@ -9,7 +9,7 @@
- imageManifestHandler.GetImageManifest
- imageManifestHandler.PutImageManifest
versions:
- - fixed: v2.7.0-rc.0+incompatible
+ - fixed: 2.7.0-rc.0+incompatible
- module: github.com/docker/distribution
package: github.com/docker/distribution/registry/storage
symbols:
@@ -26,7 +26,7 @@
- registry.Enumerate
- registry.Repositories
versions:
- - fixed: v2.7.0-rc.0+incompatible
+ - fixed: 2.7.0-rc.0+incompatible
description: |
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate
diff --git a/reports/GO-2021-0073.yaml b/reports/GO-2021-0073.yaml
index 09ac192..4ae6b36 100644
--- a/reports/GO-2021-0073.yaml
+++ b/reports/GO-2021-0073.yaml
@@ -4,7 +4,7 @@
symbols:
- sshGetLFSExeAndArgs
versions:
- - fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
+ - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
description: |
Arbitrary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
diff --git a/reports/GO-2021-0075.yaml b/reports/GO-2021-0075.yaml
index 6748c70..03fe9da 100644
--- a/reports/GO-2021-0075.yaml
+++ b/reports/GO-2021-0075.yaml
@@ -4,7 +4,7 @@
symbols:
- protocolManager.handleMsg
versions:
- - fixed: v1.8.11
+ - fixed: 1.8.11
description: |
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
diff --git a/reports/GO-2021-0076.yaml b/reports/GO-2021-0076.yaml
index b20eba7..744146f 100644
--- a/reports/GO-2021-0076.yaml
+++ b/reports/GO-2021-0076.yaml
@@ -3,7 +3,7 @@
symbols:
- partialArray.add
versions:
- - fixed: v0.5.2
+ - fixed: 0.5.2
description: |
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
diff --git a/reports/GO-2021-0077.yaml b/reports/GO-2021-0077.yaml
index d4e8a71..4c578d7 100644
--- a/reports/GO-2021-0077.yaml
+++ b/reports/GO-2021-0077.yaml
@@ -4,7 +4,7 @@
symbols:
- authStore.AuthInfoFromTLS
versions:
- - fixed: v0.5.0-alpha.5.0.20190108173120-83c051b701d3
+ - fixed: 0.5.0-alpha.5.0.20190108173120-83c051b701d3
description: |
A user can use a valid client certificate that contains a CommonName that matches a
valid RBAC username to authenticate themselves as that user, despite lacking the
diff --git a/reports/GO-2021-0078.yaml b/reports/GO-2021-0078.yaml
index dd230b9..e8d8544 100644
--- a/reports/GO-2021-0078.yaml
+++ b/reports/GO-2021-0078.yaml
@@ -5,7 +5,7 @@
- inBodyIM
- inFramesetIM
versions:
- - fixed: v0.0.0-20180816102801-aaf60122140d
+ - fixed: 0.0.0-20180816102801-aaf60122140d
description: |
The HTML parser does not properly handle "in frameset" insertion mode, and can be made
to panic when operating on malformed HTML that contains <template> tags. If operating
diff --git a/reports/GO-2021-0079.yaml b/reports/GO-2021-0079.yaml
index d7d290b..bddd543 100644
--- a/reports/GO-2021-0079.yaml
+++ b/reports/GO-2021-0079.yaml
@@ -4,7 +4,7 @@
symbols:
- Network.checkTopicRegister
versions:
- - fixed: v1.0.4-0.20180831054840-1ac3c8ac4f2b
+ - fixed: 1.0.4-0.20180831054840-1ac3c8ac4f2b
description: |
A malformed query can cause an out-of-bounds panic due to improper
validation of arguments. If processing queries from untrusted
diff --git a/reports/GO-2021-0081.yaml b/reports/GO-2021-0081.yaml
index c902cbd..33c9e234 100644
--- a/reports/GO-2021-0081.yaml
+++ b/reports/GO-2021-0081.yaml
@@ -4,7 +4,7 @@
symbols:
- dockerClient.getBearerToken
versions:
- - fixed: v2.0.2-0.20190802080134-634605d06e73+incompatible
+ - fixed: 2.0.2-0.20190802080134-634605d06e73+incompatible
description: |
The HTTP client used to connect to the container registry authorization
service explicitly disables TLS verification, allowing an attacker that
diff --git a/reports/GO-2021-0082.yaml b/reports/GO-2021-0082.yaml
index af31db5..97b4a2e 100644
--- a/reports/GO-2021-0082.yaml
+++ b/reports/GO-2021-0082.yaml
@@ -2,7 +2,7 @@
- module: github.com/facebook/fbthrift
package: github.com/facebook/fbthrift/thrift/lib/go/thrift
versions:
- - fixed: v0.31.1-0.20200311080807-483ed864d69f
+ - fixed: 0.31.1-0.20200311080807-483ed864d69f
description: |
Thirft Servers preallocate memory for the declared size of messages before
checking the actual size of the message. This allows a malicious user to
diff --git a/reports/GO-2021-0083.yaml b/reports/GO-2021-0083.yaml
index e4a40ee..7f227b5 100644
--- a/reports/GO-2021-0083.yaml
+++ b/reports/GO-2021-0083.yaml
@@ -4,7 +4,7 @@
symbols:
- Adaptor.newTLSConfig
versions:
- - fixed: v1.12.1-0.20190521122906-c1aa4f867846
+ - fixed: 1.12.1-0.20190521122906-c1aa4f867846
description: |
TLS certificate verification is skipped when connecting to a MQTT server.
This allows an attacker who can MITM the connection to read, or forge,
diff --git a/reports/GO-2021-0084.yaml b/reports/GO-2021-0084.yaml
index 57c039a..b10d145 100644
--- a/reports/GO-2021-0084.yaml
+++ b/reports/GO-2021-0084.yaml
@@ -5,7 +5,7 @@
- FileProvider.SessionRead
- FileProvider.SessionRegenerate
versions:
- - fixed: v1.12.2-0.20200613154013-bac2b31afecc
+ - fixed: 1.12.2-0.20200613154013-bac2b31afecc
description: |
Session data is stored using permissive permissions, allowing local users
with filesystem access to read arbitrary data.
diff --git a/reports/GO-2021-0085.yaml b/reports/GO-2021-0085.yaml
index c8c4405..02d0264 100644
--- a/reports/GO-2021-0085.yaml
+++ b/reports/GO-2021-0085.yaml
@@ -2,11 +2,11 @@
- module: github.com/opencontainers/runc
package: github.com/opencontainers/runc/libcontainer
versions:
- - fixed: v1.0.0-rc8.0.20190930145003-cad42f6e0932
+ - fixed: 1.0.0-rc8.0.20190930145003-cad42f6e0932
- module: github.com/opencontainers/selinux
package: github.com/opencontainers/selinux/go-selinux
versions:
- - fixed: v1.3.1-0.20190929122143-5215b1806f52
+ - fixed: 1.3.1-0.20190929122143-5215b1806f52
description: |
AppArmor restrictions may be bypassed due to improper validation of mount
targets, allowing a malicious image to mount volumes over e.g. /proc.
diff --git a/reports/GO-2021-0086.yaml b/reports/GO-2021-0086.yaml
index c7b07a4..f8bc6cf 100644
--- a/reports/GO-2021-0086.yaml
+++ b/reports/GO-2021-0086.yaml
@@ -4,7 +4,7 @@
symbols:
- Provider.Render
versions:
- - fixed: v1.76.3-0.20191119114751-a4384210d4d0
+ - fixed: 1.76.3-0.20191119114751-a4384210d4d0
description: |
HTML content in markdown is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
diff --git a/reports/GO-2021-0087.yaml b/reports/GO-2021-0087.yaml
index 1672e00..2411ba0 100644
--- a/reports/GO-2021-0087.yaml
+++ b/reports/GO-2021-0087.yaml
@@ -4,7 +4,7 @@
symbols:
- mountToRootfs
versions:
- - fixed: v1.0.0-rc9.0.20200122160610-2fc03cc11c77
+ - fixed: 1.0.0-rc9.0.20200122160610-2fc03cc11c77
description: |
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
diff --git a/reports/GO-2021-0088.yaml b/reports/GO-2021-0088.yaml
index ce1532c..fdf57a3 100644
--- a/reports/GO-2021-0088.yaml
+++ b/reports/GO-2021-0088.yaml
@@ -4,7 +4,7 @@
symbols:
- Skip
versions:
- - fixed: v0.31.1-0.20190225164308-c461c1bd1a3e
+ - fixed: 0.31.1-0.20190225164308-c461c1bd1a3e
description: |
Skip ignores unknown fields, rather than failing. A malicious user can craft small
messages with unknown fields which can take significant resources to parse. If a
diff --git a/reports/GO-2021-0089.yaml b/reports/GO-2021-0089.yaml
index 4c63182..635fb42 100644
--- a/reports/GO-2021-0089.yaml
+++ b/reports/GO-2021-0089.yaml
@@ -3,7 +3,7 @@
symbols:
- findKeyStart
versions:
- - fixed: v0.0.0-20200321185410-91ac96899e49
+ - fixed: 0.0.0-20200321185410-91ac96899e49
description: |
Parsing malformed JSON which contain opening brackets, but not closing brackets,
leads to an infinite loop. If operating on untrusted user input this can be
diff --git a/reports/GO-2021-0090.yaml b/reports/GO-2021-0090.yaml
index 35a316b..675fb13 100644
--- a/reports/GO-2021-0090.yaml
+++ b/reports/GO-2021-0090.yaml
@@ -6,8 +6,8 @@
derived_symbols:
- MakeCommit
versions:
- - introduced: v0.33.0
- fixed: v0.34.0-dev1.0.20200702134149-480b995a3172
+ - introduced: 0.33.0
+ fixed: 0.34.0-dev1.0.20200702134149-480b995a3172
description: |
Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
these signatures, they cause failure during verification. A malicious proposer can use this to force
diff --git a/reports/GO-2021-0091.yaml b/reports/GO-2021-0091.yaml
index afc277e..035c47f 100644
--- a/reports/GO-2021-0091.yaml
+++ b/reports/GO-2021-0091.yaml
@@ -3,7 +3,7 @@
symbols:
- Ctx.Attachment
versions:
- - fixed: v1.12.6-0.20200710202935-a8ad5454363f
+ - fixed: 1.12.6-0.20200710202935-a8ad5454363f
description: |
Due to improper input validation when uploading a file, a malicious user may
force the server to return arbitrary HTTP headers when the uploaded
diff --git a/reports/GO-2021-0092.yaml b/reports/GO-2021-0092.yaml
index 3e58153..ffc427e 100644
--- a/reports/GO-2021-0092.yaml
+++ b/reports/GO-2021-0092.yaml
@@ -6,7 +6,7 @@
- Fosite.NewAccessRequest
- Fosite.NewRevocationRequest
versions:
- - fixed: v0.31.0
+ - fixed: 0.31.0
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
diff --git a/reports/GO-2021-0094.yaml b/reports/GO-2021-0094.yaml
index 85ed58d..4b24f56 100644
--- a/reports/GO-2021-0094.yaml
+++ b/reports/GO-2021-0094.yaml
@@ -3,7 +3,7 @@
symbols:
- Unpack
versions:
- - fixed: v0.5.0
+ - fixed: 0.5.0
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
diff --git a/reports/GO-2021-0095.yaml b/reports/GO-2021-0095.yaml
index 74a07c9..3d2357c 100644
--- a/reports/GO-2021-0095.yaml
+++ b/reports/GO-2021-0095.yaml
@@ -4,7 +4,7 @@
symbols:
- CreateWrapKey
versions:
- - fixed: v0.3.0
+ - fixed: 0.3.0
description: |
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
diff --git a/reports/GO-2021-0096.yaml b/reports/GO-2021-0096.yaml
index 18cbc2f..eff1bd5 100644
--- a/reports/GO-2021-0096.yaml
+++ b/reports/GO-2021-0096.yaml
@@ -1,7 +1,7 @@
packages:
- module: github.com/proglottis/gpgme
versions:
- - fixed: v0.1.1
+ - fixed: 0.1.1
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/reports/GO-2021-0097.yaml b/reports/GO-2021-0097.yaml
index 8a05206..7972c81 100644
--- a/reports/GO-2021-0097.yaml
+++ b/reports/GO-2021-0097.yaml
@@ -6,7 +6,7 @@
- readTextWithDescrFrame
- readAtomData
versions:
- - fixed: v0.0.0-20201120070457-d52dcb253c63
+ - fixed: 0.0.0-20201120070457-d52dcb253c63
description: |
Due to improper bounds checking, a number of methods can trigger a panic due to attempted
out-of-bounds reads. If the package is used to parse user supplied input, this may be
diff --git a/reports/GO-2021-0098.yaml b/reports/GO-2021-0098.yaml
index b353d71..ed43b18 100644
--- a/reports/GO-2021-0098.yaml
+++ b/reports/GO-2021-0098.yaml
@@ -4,26 +4,26 @@
symbols:
- PipeCommand
versions:
- - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+ - fixed: 1.5.1-0.20210113180018-fc664697ed2c
- module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/creds
symbols:
- AskPassCredentialHelper.getFromProgram
- commandCredentialHelper.Approve
versions:
- - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+ - fixed: 1.5.1-0.20210113180018-fc664697ed2c
- module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/lfs
symbols:
- pipeExtensions
versions:
- - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+ - fixed: 1.5.1-0.20210113180018-fc664697ed2c
- module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/lfshttp
symbols:
- sshAuthClient.Resolve
versions:
- - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+ - fixed: 1.5.1-0.20210113180018-fc664697ed2c
description: |
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
result in arbitrary code execution when cloning or operating on untrusted Git repositories.
diff --git a/reports/GO-2021-0099.yaml b/reports/GO-2021-0099.yaml
index fe3896c..ebf71a3 100644
--- a/reports/GO-2021-0099.yaml
+++ b/reports/GO-2021-0099.yaml
@@ -6,7 +6,7 @@
derived_symbols:
- fileWriter.Commit
versions:
- - fixed: v0.9.0
+ - fixed: 0.9.0
description: |
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
content store may result in directory traversal during archive extraction, allowing a
diff --git a/reports/GO-2021-0100.yaml b/reports/GO-2021-0100.yaml
index f7fbe59..22b4d2f 100644
--- a/reports/GO-2021-0100.yaml
+++ b/reports/GO-2021-0100.yaml
@@ -18,7 +18,7 @@
- UntarPath
- UntarUncompressed
versions:
- - fixed: v1.28.1
+ - fixed: 1.28.1
description: |
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
diff --git a/reports/GO-2021-0101.yaml b/reports/GO-2021-0101.yaml
index 22799e5..ffb1cdf 100644
--- a/reports/GO-2021-0101.yaml
+++ b/reports/GO-2021-0101.yaml
@@ -51,8 +51,8 @@
- TStandardClient.Recv
- tApplicationException.Read
versions:
- - introduced: v0.0.0-20151001171628-53dd39833a08
- - fixed: v0.13.0
+ - introduced: 0.0.0-20151001171628-53dd39833a08
+ - fixed: 0.13.0
description: |
Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
this package is used to parse untrusted input, this may be used as a vector for a denial of
diff --git a/reports/GO-2021-0102.yaml b/reports/GO-2021-0102.yaml
index a239896..766b53e 100644
--- a/reports/GO-2021-0102.yaml
+++ b/reports/GO-2021-0102.yaml
@@ -4,13 +4,13 @@
symbols:
- AesGCM.Decrypt
versions:
- - fixed: v0.0.0-20191101214924-b1b5c44e050f
+ - fixed: 0.0.0-20191101214924-b1b5c44e050f
- module: github.com/cloudfoundry/gorouter
package: github.com/cloudfoundry/gorouter/common/secure
symbols:
- AesGCM.Decrypt
versions:
- - fixed: v0.0.0-20191101214924-b1b5c44e050f
+ - fixed: 0.0.0-20191101214924-b1b5c44e050f
description: |
Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
nonce size. If this package is used to decrypt user supplied messages without checking the size of
diff --git a/reports/GO-2021-0103.yaml b/reports/GO-2021-0103.yaml
index d10c2e3..e18889d 100644
--- a/reports/GO-2021-0103.yaml
+++ b/reports/GO-2021-0103.yaml
@@ -10,8 +10,8 @@
- Int.SDiv
- Int.SMod
versions:
- - introduced: v0.1.0
- - fixed: v1.1.1
+ - introduced: 0.1.0
+ - fixed: 1.1.1
description: |
Due to improper bounds checking, certain mathmatical operations can cause a panic via an
out of bounds read. If this package is used to process untrusted user inputs, this may be used
diff --git a/reports/GO-2021-0104.yaml b/reports/GO-2021-0104.yaml
index d6bb98f..bd67f26 100644
--- a/reports/GO-2021-0104.yaml
+++ b/reports/GO-2021-0104.yaml
@@ -12,7 +12,7 @@
- operations.Done
- operations.Enqueue
versions:
- - fixed: v3.0.15
+ - fixed: 3.0.15
description: |
Due to improper error handling, DTLS connections were not killed when certificate verification
failed, causing users who did not check the connection state to continue to use the connection.
diff --git a/reports/GO-2021-0105.yaml b/reports/GO-2021-0105.yaml
index 1e77b8f..110bd71 100644
--- a/reports/GO-2021-0105.yaml
+++ b/reports/GO-2021-0105.yaml
@@ -4,8 +4,8 @@
symbols:
- StateDB.createObject
versions:
- - introduced: v1.9.4
- - fixed: v1.9.20
+ - introduced: 1.9.4
+ - fixed: 1.9.20
description: |
Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement,
causing users of this package to reject a canonical chain.
diff --git a/reports/GO-2021-0106.yaml b/reports/GO-2021-0106.yaml
index 1f0158f..f14050b 100644
--- a/reports/GO-2021-0106.yaml
+++ b/reports/GO-2021-0106.yaml
@@ -3,7 +3,7 @@
symbols:
- Extractor.outputPath
versions:
- - fixed: v0.0.0-20201201191210-20a61371de5b
+ - fixed: 0.0.0-20201201191210-20a61371de5b
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/reports/GO-2021-0107.yaml b/reports/GO-2021-0107.yaml
index f0f8117..3967ffc 100644
--- a/reports/GO-2021-0107.yaml
+++ b/reports/GO-2021-0107.yaml
@@ -5,7 +5,7 @@
derived_symbols:
- Server.Socket
versions:
- - fixed: v1.5.2
+ - fixed: 1.5.2
description: |
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a
nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
diff --git a/reports/GO-2021-0108.yaml b/reports/GO-2021-0108.yaml
index 3986867..379cf56 100644
--- a/reports/GO-2021-0108.yaml
+++ b/reports/GO-2021-0108.yaml
@@ -3,7 +3,7 @@
symbols:
- Ctx.Attachment
versions:
- - fixed: v1.12.6
+ - fixed: 1.12.6
description: |
Due to improper input sanitization, a maliciously constructed filename could cause a file
download to use an attacker controlled filename, as well as injecting additional headers
diff --git a/reports/GO-2021-0109.yaml b/reports/GO-2021-0109.yaml
index 1c9a570..979ff78 100644
--- a/reports/GO-2021-0109.yaml
+++ b/reports/GO-2021-0109.yaml
@@ -3,7 +3,7 @@
symbols:
- TokenRevocationHandler.RevokeToken
versions:
- - fixed: v0.34.0
+ - fixed: 0.34.0
description: |
Due to improper error handling, an error with the underlying token storage may cause a user
to believe a token has been successfully revoked when it is in fact still valid. An attackers
diff --git a/reports/GO-2021-0110.yaml b/reports/GO-2021-0110.yaml
index ea85c9a..ce3243a 100644
--- a/reports/GO-2021-0110.yaml
+++ b/reports/GO-2021-0110.yaml
@@ -6,7 +6,7 @@
- Fosite.NewAccessRequest
- Fosite.NewRevocationRequest
versions:
- - fixed: v0.31.0
+ - fixed: 0.31.0
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
diff --git a/reports/GO-2021-0111.yaml b/reports/GO-2021-0111.yaml
index a020b41..20a59f1 100644
--- a/reports/GO-2021-0111.yaml
+++ b/reports/GO-2021-0111.yaml
@@ -41,7 +41,7 @@
- valueWriter.WriteUndefined
- valueWriter.WriteValueBytes
versions:
- - fixed: v1.5.1
+ - fixed: 1.5.1
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
diff --git a/reports/GO-2021-0112.yaml b/reports/GO-2021-0112.yaml
index 1304f6a..6518365 100644
--- a/reports/GO-2021-0112.yaml
+++ b/reports/GO-2021-0112.yaml
@@ -80,7 +80,7 @@
- DocumentBuilder.AppendValue
- DocumentBuilder.StartDocument
versions:
- - fixed: v1.5.1
+ - fixed: 1.5.1
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
diff --git a/reports/GO-2021-0113.yaml b/reports/GO-2021-0113.yaml
index b4bef0b..b85af7b 100644
--- a/reports/GO-2021-0113.yaml
+++ b/reports/GO-2021-0113.yaml
@@ -8,7 +8,7 @@
- MustParse
- ParseAcceptLanguage
versions:
- - fixed: v0.3.7
+ - fixed: 0.3.7
description: |
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
diff --git a/reports/GO-2021-0140.yaml b/reports/GO-2021-0140.yaml
index 0c31df1..b4dacdf 100644
--- a/reports/GO-2021-0140.yaml
+++ b/reports/GO-2021-0140.yaml
@@ -4,9 +4,9 @@
symbols:
- Certificate.Verify
versions:
- - fixed: go1.13.13
- - introduced: go1.14.0
- fixed: go1.14.5
+ - fixed: 1.13.13
+ - introduced: 1.14.0
+ fixed: 1.14.5
description: |
X509 Certificate verification does not validate KeyUsages EKU
requirements on Windows if VerifyOptions.Roots is nil.
diff --git a/reports/GO-2021-0141.yaml b/reports/GO-2021-0141.yaml
index b4829bd..58d7c96 100644
--- a/reports/GO-2021-0141.yaml
+++ b/reports/GO-2021-0141.yaml
@@ -4,9 +4,9 @@
symbols:
- expectContinueReader.Read
versions:
- - fixed: go1.13.13
- - introduced: go1.14.0
- fixed: go1.14.5
+ - fixed: 1.13.13
+ - introduced: 1.14.0
+ fixed: 1.14.5
description: |
A Go HTTP server which reads from the request body while
simultaneously writing a response can panic when clients
diff --git a/reports/GO-2021-0143.yaml b/reports/GO-2021-0143.yaml
index 12875ac..8bc9319 100644
--- a/reports/GO-2021-0143.yaml
+++ b/reports/GO-2021-0143.yaml
@@ -4,17 +4,17 @@
symbols:
- response.Write
versions:
- - fixed: go1.14.8
- - introduced: go1.15.0
- fixed: go1.15.1
+ - fixed: 1.14.8
+ - introduced: 1.15.0
+ fixed: 1.15.1
- module: std
package: net/http/fcgi
symbols:
- response.Write
versions:
- - fixed: go1.14.8
- - introduced: go1.15.0
- fixed: go1.15.1
+ - fixed: 1.14.8
+ - introduced: 1.15.0
+ fixed: 1.15.1
description: |
When a Handler does not explicitly set the Content-Type header,
the net/http/cgi and net/http/fcgi packages default to "text/html",
diff --git a/reports/GO-2021-0157.yaml b/reports/GO-2021-0157.yaml
index db2c748..505a354 100644
--- a/reports/GO-2021-0157.yaml
+++ b/reports/GO-2021-0157.yaml
@@ -5,7 +5,7 @@
- CanonicalMIMEHeaderKey
- canonicalMIMEHeaderKey
versions:
- - fixed: go1.4.3
+ - fixed: 1.4.3
description: |
The MIME header parser treated spaces and hyphens
as equivalent, which can permit HTTP request smuggling.
diff --git a/reports/GO-2021-0159.yaml b/reports/GO-2021-0159.yaml
index 2885668..52e8f5b 100644
--- a/reports/GO-2021-0159.yaml
+++ b/reports/GO-2021-0159.yaml
@@ -12,7 +12,7 @@
- transferWriter.shouldSendContentLength
- validHeaderFieldByte
versions:
- - fixed: go1.4.3
+ - fixed: 1.4.3
description: |
HTTP headers were not properly parsed, which allows remote attackers to
conduct HTTP request smuggling attacks via a request that contains
diff --git a/reports/GO-2021-0160.yaml b/reports/GO-2021-0160.yaml
index 8037b5d..874f06e 100644
--- a/reports/GO-2021-0160.yaml
+++ b/reports/GO-2021-0160.yaml
@@ -5,8 +5,8 @@
- nat.expNNMontgomery
- nat.montgomery
versions:
- - introduced: go1.5
- fixed: go1.5.3
+ - introduced: 1.5.0
+ fixed: 1.5.3
description: |
Int.Exp Montgomery mishandled carry propagation and produced an incorrect
output, which makes it easier for attackers to obtain private RSA keys via
diff --git a/reports/GO-2021-0163.yaml b/reports/GO-2021-0163.yaml
index cbbf883..37e90c3 100644
--- a/reports/GO-2021-0163.yaml
+++ b/reports/GO-2021-0163.yaml
@@ -4,9 +4,9 @@
symbols:
- LoadLibrary
versions:
- - fixed: go1.5.4
- - introduced: go1.6.0
- fixed: go1.6.1
+ - fixed: 1.5.4
+ - introduced: 1.6.0
+ fixed: 1.6.1
description: |
Untrusted search path vulnerability on Windows related to LoadLibrary allows
local users to gain privileges via a malicious DLL in the current working
diff --git a/reports/GO-2021-0172.yaml b/reports/GO-2021-0172.yaml
index f2538ba..b70a1a8 100644
--- a/reports/GO-2021-0172.yaml
+++ b/reports/GO-2021-0172.yaml
@@ -4,9 +4,9 @@
symbols:
- Reader.readForm
versions:
- - fixed: go1.6.4
- - introduced: go1.7.0
- fixed: go1.7.4
+ - fixed: 1.6.4
+ - introduced: 1.7.0
+ fixed: 1.7.4
description: |
When parsing large multipart/form-data, an attacker can
cause a HTTP server to open a large number of file
diff --git a/reports/GO-2021-0178.yaml b/reports/GO-2021-0178.yaml
index b373d72..577641c 100644
--- a/reports/GO-2021-0178.yaml
+++ b/reports/GO-2021-0178.yaml
@@ -4,10 +4,10 @@
symbols:
- plainAuth.Start
versions:
- - introduced: go1.1
- fixed: go1.8.4
- - introduced: go1.9.0
- fixed: go1.9.1
+ - introduced: 1.1.0
+ fixed: 1.8.4
+ - introduced: 1.9.0
+ fixed: 1.9.1
description: |
SMTP clients using net/smtp can use the PLAIN authentication scheme on
network connections not secured with TLS, exposing passwords to
diff --git a/reports/GO-2021-0223.yaml b/reports/GO-2021-0223.yaml
index 903ee5d..3634ea5 100644
--- a/reports/GO-2021-0223.yaml
+++ b/reports/GO-2021-0223.yaml
@@ -4,9 +4,9 @@
symbols:
- Certificate.systemVerify
versions:
- - fixed: go1.13.13
- - introduced: go1.14.0
- fixed: go1.14.5
+ - fixed: 1.13.13
+ - introduced: 1.14.0
+ fixed: 1.14.5
description: |
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify
does not check the EKU requirements specified in VerifyOptions.KeyUsages.
diff --git a/reports/GO-2021-0224.yaml b/reports/GO-2021-0224.yaml
index 8e5bd21..0c057ad 100644
--- a/reports/GO-2021-0224.yaml
+++ b/reports/GO-2021-0224.yaml
@@ -4,9 +4,9 @@
symbols:
- expectContinueReader.Read
versions:
- - fixed: go1.13.13
- - introduced: go1.14.0
- fixed: go1.14.5
+ - fixed: 1.13.13
+ - introduced: 1.14.0
+ fixed: 1.14.5
description: |
HTTP servers where the Handler concurrently reads the request
body and writes a response can encounter a data race and crash.
diff --git a/reports/GO-2021-0225.yaml b/reports/GO-2021-0225.yaml
index e52414b..b97ffb1 100644
--- a/reports/GO-2021-0225.yaml
+++ b/reports/GO-2021-0225.yaml
@@ -4,9 +4,9 @@
symbols:
- ReadUvarint
versions:
- - fixed: go1.13.15
- - introduced: go1.14.0
- fixed: go1.14.7
+ - fixed: 1.13.15
+ - introduced: 1.14.0
+ fixed: 1.14.7
description: |
Certain invalid inputs to ReadUvarint or ReadVarint could cause those
functions to read an unlimited number of bytes from the ByteReader argument
diff --git a/reports/GO-2021-0226.yaml b/reports/GO-2021-0226.yaml
index dd0f4d7..1d20f61 100644
--- a/reports/GO-2021-0226.yaml
+++ b/reports/GO-2021-0226.yaml
@@ -6,9 +6,9 @@
- response.WriteHeader
- response.writeCGIHeader
versions:
- - fixed: go1.14.8
- - introduced: go1.15.0
- fixed: go1.15.1
+ - fixed: 1.14.8
+ - introduced: 1.15.0
+ fixed: 1.15.1
- module: std
package: net/http/fcgi
symbols:
@@ -16,9 +16,9 @@
- response.WriteHeader
- response.writeCGIHeader
versions:
- - fixed: go1.14.8
- - introduced: go1.15.0
- fixed: go1.15.1
+ - fixed: 1.14.8
+ - introduced: 1.15.0
+ fixed: 1.15.1
description: |
When a Handler does not explicitly set the Content-Type header, the the
package would default to “text/html”, which could cause a Cross-Site Scripting
diff --git a/reports/GO-2021-0227.yaml b/reports/GO-2021-0227.yaml
index 80e3d7d..4ed89e1 100644
--- a/reports/GO-2021-0227.yaml
+++ b/reports/GO-2021-0227.yaml
@@ -4,7 +4,7 @@
symbols:
- connection.serverAuthenticate
versions:
- - fixed: v0.0.0-20201216223049-8b5274cf687f
+ - fixed: 0.0.0-20201216223049-8b5274cf687f
description: |
Clients can cause a panic in SSH servers. An attacker can craft
an authentication request message for the “gssapi-with-mic” method
diff --git a/reports/GO-2021-0228.yaml b/reports/GO-2021-0228.yaml
index 4a73ff0..849cdb0 100644
--- a/reports/GO-2021-0228.yaml
+++ b/reports/GO-2021-0228.yaml
@@ -20,7 +20,7 @@
- ZipArchive.Flush
- ZipArchive.Open
versions:
- - fixed: v1.0.1
+ - fixed: 1.0.1
description: |
The ExtractTo function doesn't securely escape file paths in zip archives
which include leading or non-leading "..". This allows an attacker to add or
diff --git a/reports/GO-2021-0234.yaml b/reports/GO-2021-0234.yaml
index 63702f8..95c3b6d 100644
--- a/reports/GO-2021-0234.yaml
+++ b/reports/GO-2021-0234.yaml
@@ -4,9 +4,9 @@
symbols:
- Decoder.Token
versions:
- - fixed: go1.15.9
- - introduced: go1.16.0
- fixed: go1.16.1
+ - fixed: 1.15.9
+ - introduced: 1.16.0
+ fixed: 1.16.1
description: |
The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
diff --git a/reports/GO-2021-0235.yaml b/reports/GO-2021-0235.yaml
index 6795732..14bc074 100644
--- a/reports/GO-2021-0235.yaml
+++ b/reports/GO-2021-0235.yaml
@@ -4,9 +4,9 @@
symbols:
- p224Contract
versions:
- - fixed: go1.14.14
- - introduced: go1.15.0
- fixed: go1.15.7
+ - fixed: 1.14.14
+ - introduced: 1.15.0
+ fixed: 1.15.7
description: |
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
diff --git a/reports/GO-2021-0237.yaml b/reports/GO-2021-0237.yaml
index 62fa6a3..f73d1fb 100644
--- a/reports/GO-2021-0237.yaml
+++ b/reports/GO-2021-0237.yaml
@@ -3,7 +3,7 @@
symbols:
- Route.execute
versions:
- - fixed: v1.1.1
+ - fixed: 1.1.1
description: |
Attackers may be able to craft phishing links and other open
redirects by exploiting PowerMux's trailing slash redirection
diff --git a/reports/GO-2021-0238.yaml b/reports/GO-2021-0238.yaml
index eb9f768..df27303 100644
--- a/reports/GO-2021-0238.yaml
+++ b/reports/GO-2021-0238.yaml
@@ -4,7 +4,7 @@
symbols:
- inHeadIM
versions:
- - fixed: v0.0.0-20210520170846-37e1c6afe023
+ - fixed: 0.0.0-20210520170846-37e1c6afe023
description: |
An attacker can craft an input to ParseFragment that causes it
to enter an infinite loop and never return.
diff --git a/reports/GO-2021-0239.yaml b/reports/GO-2021-0239.yaml
index 320a42c..e1a807c 100644
--- a/reports/GO-2021-0239.yaml
+++ b/reports/GO-2021-0239.yaml
@@ -8,9 +8,9 @@
- Resolver.LookupNS
- Resolver.LookupSRV
versions:
- - fixed: go1.15.13
- - introduced: go1.16.0
- fixed: go1.16.5
+ - fixed: 1.15.13
+ - introduced: 1.16.0
+ fixed: 1.16.5
description: |
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions and their respective methods on the Resolver type may
diff --git a/reports/GO-2021-0240.yaml b/reports/GO-2021-0240.yaml
index 064868b..0a523b7 100644
--- a/reports/GO-2021-0240.yaml
+++ b/reports/GO-2021-0240.yaml
@@ -4,9 +4,9 @@
symbols:
- Reader.init
versions:
- - fixed: go1.15.13
- - introduced: go1.16.0
- fixed: go1.16.5
+ - fixed: 1.15.13
+ - introduced: 1.16.0
+ fixed: 1.16.5
description: |
NewReader and OpenReader can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large
diff --git a/reports/GO-2021-0241.yaml b/reports/GO-2021-0241.yaml
index 77cd891..ef7cc23 100644
--- a/reports/GO-2021-0241.yaml
+++ b/reports/GO-2021-0241.yaml
@@ -4,9 +4,9 @@
symbols:
- ReverseProxy.ServeHTTP
versions:
- - fixed: go1.15.13
- - introduced: go1.16.0
- fixed: go1.16.5
+ - fixed: 1.15.13
+ - introduced: 1.16.0
+ fixed: 1.16.5
description: |
ReverseProxy can be made to forward certain hop-by-hop headers,
including Connection. If the target of the ReverseProxy is
diff --git a/reports/GO-2021-0242.yaml b/reports/GO-2021-0242.yaml
index 87209c7..8bbf809 100644
--- a/reports/GO-2021-0242.yaml
+++ b/reports/GO-2021-0242.yaml
@@ -4,9 +4,9 @@
symbols:
- Rat.SetString
versions:
- - fixed: go1.15.13
- - introduced: go1.16.0
- fixed: go1.16.5
+ - fixed: 1.15.13
+ - introduced: 1.16.0
+ fixed: 1.16.5
description: |
Rat.SetString and Rat.UnmarshalText may cause a panic or an
unrecoverable fatal error if passed inputs with very large
diff --git a/reports/GO-2021-0243.yaml b/reports/GO-2021-0243.yaml
index 066187a..6281fc8 100644
--- a/reports/GO-2021-0243.yaml
+++ b/reports/GO-2021-0243.yaml
@@ -4,9 +4,9 @@
symbols:
- rsaKeyAgreement.generateClientKeyExchange
versions:
- - fixed: go1.15.14
- - introduced: go1.16.0
- fixed: go1.16.6
+ - fixed: 1.15.14
+ - introduced: 1.16.0
+ fixed: 1.16.6
description: |
crypto/tls clients can panic when provided a certificate of the
wrong type for the negotiated parameters. net/http clients
diff --git a/reports/GO-2021-0245.yaml b/reports/GO-2021-0245.yaml
index 16af7fa..a629c68 100644
--- a/reports/GO-2021-0245.yaml
+++ b/reports/GO-2021-0245.yaml
@@ -4,9 +4,9 @@
symbols:
- ReverseProxy.ServeHTTP
versions:
- - fixed: go1.15.15
- - introduced: go1.16.0
- fixed: go1.16.7
+ - fixed: 1.15.15
+ - introduced: 1.16.0
+ fixed: 1.16.7
description: |
ReverseProxy can panic after encountering a problem copying
a proxied response body.
diff --git a/reports/GO-2021-0258.yaml b/reports/GO-2021-0258.yaml
index f27fad8..12af083 100644
--- a/reports/GO-2021-0258.yaml
+++ b/reports/GO-2021-0258.yaml
@@ -3,7 +3,7 @@
symbols:
- Manager.onUpdateRecords
versions:
- - fixed: v0.15.6
+ - fixed: 0.15.6
description: |
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation
diff --git a/reports/GO-2021-0263.yaml b/reports/GO-2021-0263.yaml
index 68458db..1ba9861 100644
--- a/reports/GO-2021-0263.yaml
+++ b/reports/GO-2021-0263.yaml
@@ -4,9 +4,9 @@
symbols:
- NewFile
versions:
- - fixed: go1.16.10
- - introduced: go1.17.0
- fixed: go1.17.3
+ - fixed: 1.16.10
+ - introduced: 1.17.0
+ fixed: 1.17.3
description: |
Calling File.ImportedSymbols on a loaded file which contains an invalid
dynamic symbol table command can cause a panic, in particular if the encoded
diff --git a/reports/GO-2021-0264.yaml b/reports/GO-2021-0264.yaml
index f24a159..d3d95fb 100644
--- a/reports/GO-2021-0264.yaml
+++ b/reports/GO-2021-0264.yaml
@@ -5,9 +5,9 @@
- split
- Reader.Open
versions:
- - fixed: go1.16.10
- - introduced: go1.17.0
- fixed: go1.17.3
+ - fixed: 1.16.10
+ - introduced: 1.17.0
+ fixed: 1.17.3
description: |
Previously, opening a zip with (*Reader).Open could result in a panic if the
zip contained a file whose name was exclusively made up of slash characters or
diff --git a/reports/GO-2021-0265.yaml b/reports/GO-2021-0265.yaml
index 96fe2a4..596c150 100644
--- a/reports/GO-2021-0265.yaml
+++ b/reports/GO-2021-0265.yaml
@@ -3,7 +3,7 @@
symbols:
- match.Match
versions:
- - fixed: v1.9.3
+ - fixed: 1.9.3
description: |
GJSON allowed a ReDoS (regular expression denial of service) attack.
published: 2022-01-14T17:30:24Z
diff --git a/reports/GO-2021-0321.yaml b/reports/GO-2021-0321.yaml
index cb0e0f2..95f1c3a 100644
--- a/reports/GO-2021-0321.yaml
+++ b/reports/GO-2021-0321.yaml
@@ -4,8 +4,8 @@
symbols:
- Dialer.config
versions:
- - introduced: v0.18.0
- fixed: v0.21.1
+ - introduced: 0.18.0
+ fixed: 0.21.1
description: |
An attacker capable of spoofing DNS TXT records can redirect a
WebSocket connection request to a server under their control without
diff --git a/reports/GO-2021-0356.yaml b/reports/GO-2021-0356.yaml
index 5ef2a11..9c9d9fd 100644
--- a/reports/GO-2021-0356.yaml
+++ b/reports/GO-2021-0356.yaml
@@ -6,7 +6,7 @@
derived_symbols:
- ServerConfig.AddHostKey
versions:
- - fixed: v0.0.0-20220314234659-1baeb1ce4c0b
+ - fixed: 0.0.0-20220314234659-1baeb1ce4c0b
description: |
Attackers can cause a crash in SSH servers when the server has been
configured by passing a Signer to ServerConfig.AddHostKey such that
diff --git a/reports/GO-2021-0412.yaml b/reports/GO-2021-0412.yaml
index 08c248b..43a81b7 100644
--- a/reports/GO-2021-0412.yaml
+++ b/reports/GO-2021-0412.yaml
@@ -4,7 +4,7 @@
symbols:
- cryptManifestList
versions:
- - fixed: v1.1.4
+ - fixed: 1.1.4
description: |
The imgcrypt library provides API exensions for containerd to
support encrypted container images and implements the ctd-decoder