Skip to content
This repository has been archived by the owner on Apr 19, 2024. It is now read-only.

Outdated and vulnerable dependency golang:text #344

Closed
burise opened this issue Mar 16, 2021 · 1 comment
Closed

Outdated and vulnerable dependency golang:text #344

burise opened this issue Mar 16, 2021 · 1 comment
Labels
Bug

Comments

@burise
Copy link

burise commented Mar 16, 2021

Currently, the project has a dependency to golang.org/x/text v0.3.0, which is outdated and should be updated:

CVE-2020-14040
Summary: The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Base Score: 7.5 High
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14040
@burise burise added the Bug label Mar 16, 2021
@burise burise changed the title Outdated and vulnerable dependencies golang:text Outdated and vulnerable dependency golang:text Mar 16, 2021
@AlecAivazis
Copy link
Owner

AlecAivazis commented Apr 22, 2021
edited

Thanks for reporting this @burise! I just updated the dependency and published a new version

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlecAivazis @burise