Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update golang.org/x/net to resolve CVE-2021-38561 #4291

Closed
danieljmt opened this issue Feb 23, 2022 · 2 comments · Fixed by #4292
Closed

Update golang.org/x/net to resolve CVE-2021-38561 #4291

danieljmt opened this issue Feb 23, 2022 · 2 comments · Fixed by #4292

Comments

@danieljmt
Copy link
Contributor

danieljmt commented Feb 23, 2022
edited by jasdel
Loading

Please fill out the sections below to help us address your issue.

Version of AWS SDK for Go?

All

Version of Go (go version)?

All

What issue did you see?

CVE vulterability: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-38561
golang.org/x/text package parsing issue, https://osv.dev/vulnerability/GO-2021-0113

Steps to reproduce

N/A

If you have an runnable example, please include it.
@danieljmt danieljmt mentioned this issue Feb 23, 2022
Merged
@jasdel jasdel changed the title Update golang.org/x/net to resolve CVE-2021-38561 Update golang.org/x/text to resolve CVE-2021-38561 Feb 23, 2022
@jasdel jasdel changed the title Update golang.org/x/text to resolve CVE-2021-38561 Update golang.org/x/net to resolve CVE-2021-38561 Feb 23, 2022
@jasdel
Copy link
Contributor

jasdel commented Feb 23, 2022
edited
Loading

Thanks for posting this issue. The PR looks good and will be merged in once CI tests pass. Also I'd like to mention that the golang.org/x/net and golang.org/x/text packages are not used by the SDK's runtime. The golang.org/x packages are only ever used by the SDK's code generation, and testing packages. There is no golang.org/x/text vulnerability vector from the SDK.

@jasdel jasdel mentioned this issue Feb 23, 2022
Merged
jasdel pushed a commit that referenced this issue Feb 23, 2022
@danieljmt
go.mod: update vulnerable net library (#4292)
f084416 
Fixes #4291 by updating SDK's dependency on `golang.org/x/text` package to latest version CVE issue is addressed
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

go.mod: update vulnerable net library danieljmt/aws-sdk-go
2 participants
@jasdel @danieljmt