Impact
The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid
module used as a dependency.
Patches
A patch is available in version >= v1.2.2 of the module. Users are encouraged to upgrade.
Fixed by #90
Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76
References
satori/go.uuid#73
For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues
Impact
The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the
github.com/satori/go.uuid
module used as a dependency.Patches
A patch is available in version >= v1.2.2 of the module. Users are encouraged to upgrade.
Fixed by #90
Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76
References
satori/go.uuid#73
For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues