Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update x/text to 0.3.8 #1571

Merged
merged 1 commit into from Nov 8, 2022
Merged

Update x/text to 0.3.8 #1571

merged 1 commit into from Nov 8, 2022

Conversation

dirkmueller
Copy link

What type of PR is this?

  • cleanup

What this PR does / why we need it:

New version of x/text needed to avoid security scanners flagging this code
as vulnerable.

Also run go mod tidy.

Testing

Not tested.

This fixes a vulnerability in 0.3.7. Also remove unnecessary indirect
dependency on the parent module.

┌───────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│      Library      │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├───────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149      │ HIGH     │ 0.3.7             │ 0.3.8         │ golang: golang.org/x/text/language: ParseAcceptLanguage  │
│                   │                     │          │                   │               │ takes a long time to parse complex tags                  │
│                   │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-32149               │
│                   ├─────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────┤
│                   │ GHSA-69ch-w2m2-3vjp │ UNKNOWN  │                   │               │ An attacker may cause a denial of service by crafting an │
│                   │                     │          │                   │               │ Accept-Language...                                       │
│                   │                     │          │                   │               │ GHSA-69ch-w2m2-3vjp        │
└───────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
@dirkmueller dirkmueller requested a review from a team as a code owner November 8, 2022 13:22
@abitrolly
Copy link
Contributor

Fixes this vulnerability https://osv.dev/vulnerability/GO-2022-1059

How about updating to 0.4.0? Which drops Go 1.2 compatibility golang/text@v0.3.8...v0.4.0

@meatballhat meatballhat added this to the Release 3.x milestone Nov 8, 2022
@meatballhat meatballhat changed the base branch from main to v2-maint November 8, 2022 20:15
@meatballhat
Copy link
Member

FYI I'm going to merge this to v2-maint and then follow up with a bump to v0.4.0 as suggested by @abitrolly

@meatballhat meatballhat merged commit 61efca6 into urfave:v2-maint Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants