Impact
The siftool new
command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid
module used as a dependency.
Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit sylabs/sif@1939628
Workarounds
Users passing CreateInfo struct should ensure the ID
field is generated using a version of github.com/satori/go.uuid
that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
References
For more information
If you have any questions or comments about this advisory:
References
Impact
The
siftool new
command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of thejackfan.us.kg/satori/go.uuid
module used as a dependency.Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit sylabs/sif@1939628
Workarounds
Users passing CreateInfo struct should ensure the
ID
field is generated using a version ofjackfan.us.kg/satori/go.uuid
that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:References
For more information
If you have any questions or comments about this advisory:
References