Impact
The siftool new command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency.
Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit 1939628
Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
References
For more information
If you have any questions or comments about this advisory:
Impact
The
siftool newcommand and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of thegithub.com/satori/go.uuidmodule used as a dependency.Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit 1939628
Workarounds
Users passing CreateInfo struct should ensure the
IDfield is generated using a version ofgithub.com/satori/go.uuidthat is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:References
For more information
If you have any questions or comments about this advisory: