Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bump golang.org/x/net to v0.33.0 to fix CVE-2024-45338 #1356

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

sonasingh46
Copy link

@sonasingh46 sonasingh46 commented Jan 2, 2025

Bumps golang.org/x/net to v0.33.0 to fix CVE-2024-45338.
It also bumps mimetype lib to latest v1.4.7.

Notes To Reviewers:
This bump meant to also bump the go version to at least 1.20 because of the usage subtle.XORBytes in the crypto lib after the bump.

This means we can no longer have the test matrix for go version lower than 1.20 otherwise it will fail with the following error:

# golang.org/x/crypto/sha3
Error: ../../../go/pkg/mod/golang.org/x/[email protected]/sha3/sha3.go:123:15: undefined: subtle.XORBytes
Error: ../../../go/pkg/mod/golang.org/x/[email protected]/sha3/shake.go:129:22: undefined: bytes.Clone

See this for more reference, golang/go#68035

More Context:
The CVE is coming from the indirect dependency of golang.org/x/net from https://github.com/gabriel-vasile/mimetype. I think it is worth to update the dependency to fix the CVE and not wait for the release from mimetype!

@sonasingh46 sonasingh46 requested a review from a team as a code owner January 2, 2025 19:18
@sonasingh46 sonasingh46 force-pushed the bump_x_net branch 3 times, most recently from f9b903a to 26a2755 Compare January 3, 2025 09:26
Signed-off-by: Ashutosh Kumar <[email protected]>
Signed-off-by: Ashutosh Kumar <[email protected]>
@coveralls
Copy link

Coverage Status

coverage: 74.318%. remained the same
when pulling e822e87 on sonasingh46:bump_x_net
into 6c3307e on go-playground:master.

@sonasingh46
Copy link
Author

Hi @deankarn, ( Sorry for a direct tag ) --
Given that the current latest version of this lib has a exploitable vulnerability, I raised this bump PR to fix it. I was thinking it will be nice to get a release cut for this. I am willing to help and spend time for the release if needed.

@nodivbyzero
Copy link
Contributor

@sonasingh46
Thank you very much for your contribution!
I’ve created a similar PR here, but there’s an ongoing discussion regarding the minimum supported Go version.
#1342

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants