Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://social.tchncs.de/users/teleclimber/statuses/113642153419791397">Olivier Forget (teleclimber@social.tchncs.de)'s status on Friday, 13-Dec-2024 07:28:23 JST</a><a href="https://social.tchncs.de/@teleclimber" title="teleclimber@social.tchncs.de"><img src="https://gnusocial.jp/avatar/42387-48-20221128235240.webp" width="48" height="48" alt="Olivier Forget" style="position: absolute; left: 0; top: 0;">Olivier Forget</a><div><ul><li></ul></div></section><article><p>FYI <a href="https://social.tchncs.de/tags/Github" rel="tag">#Github</a> <a href="https://social.tchncs.de/tags/Dependabot" rel="tag">#Dependabot</a> flags that <a href="https://social.tchncs.de/tags/Go" rel="tag">#Go</a> crypto <a href="https://social.tchncs.de/tags/vulnerability" rel="tag">#vulnerability</a> in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.</p><p>Lucky for me that means I don't have to change anything in my project.</p><p>Thanks to <a href="https://abyssdomain.expert/@filippo">@filippo</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4175154#notice-8159787">In conversation</a><time datetime="2024-12-13T07:28:23+09:00" title="Friday, 13-Dec-2024 07:28:23 JST">about 4 months ago</time> <span>from <span><a href="https://social.tchncs.de/@teleclimber/113642153419791397" rel="external" title="Sent from social.tchncs.de via ActivityPub">social.tchncs.de</a></span></span><a href="https://social.tchncs.de/@teleclimber/113642153419791397">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3686799">Github dependabot page for project Dropserver for "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto" CVE-2024-45337</a></label><br><a href="https://f2.tchncs.de/media_attachments/files/113/642/153/263/003/682/original/d8e75a93f47a8208.png" rel="external">https://f2.tchncs.de/media_attachments/files/113/642/153/263/003/682/original/d8e75a93f47a8208.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3686800">Verbose output of govulncheck on same Dropserver project showing that it is not affected by the vulnerability because we don't appear to call affect methods. Full text:"DropServer git:(tailscale-1) ✗ govulncheck -show verbose ./...Scanning your code and 643 packages across 83 dependent modules for known vulnerabilities...Fetching vulnerabilities from the database...Checking the code against the vulnerabilities...=== Symbol Results ===No vulnerabilities found.=== Package Results ===No other vulnerabilities found.=== Module Results ===Vulnerability #1: GO-2024-3321    Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in    golang.org/x/crypto  More info: https://pkg.go.dev/vuln/GO-2024-3321  Module: golang.org/x/crypto    Found in: golang.org/x/crypto@v0.29.0    Fixed in: golang.org/x/crypto@v0.31.0Your code is affected by 0 vulnerabilities.This scan also found 0 vulnerabilities in packages you import and 1vulnerability in modules you require, but your code doesn't appear to call thesevulnerabilities.</a></label><br><a href="https://f2.tchncs.de/media_attachments/files/113/642/153/239/018/211/original/f6b311c4e4b6ed37.png" rel="external">https://f2.tchncs.de/media_attachments/files/113/642/153/239/018/211/original/f6b311c4e4b6ed37.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Olivier Forget (teleclimber@social.tchncs.de)'s status on Friday, 13-Dec-2024 07:28:23 JSTOlivier Forget
- Filippo Valsorda :go:
FYI #Github #Dependabot flags that #Go crypto #vulnerability in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.
Lucky for me that means I don't have to change anything in my project.
Thanks to @filippo
In conversationabout 4 months ago from social.tchncs.depermalink
Attachments
1. Github dependabot page for project Dropserver for "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto" CVE-2024-45337
  https://f2.tchncs.de/media_attachments/files/113/642/153/263/003/682/original/d8e75a93f47a8208.png
2. Verbose output of govulncheck on same Dropserver project showing that it is not affected by the vulnerability because we don't appear to call affect methods. Full text: "DropServer git:(tailscale-1) ✗ govulncheck -show verbose ./... Scanning your code and 643 packages across 83 dependent modules for known vulnerabilities... Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... === Symbol Results === No vulnerabilities found. === Package Results === No other vulnerabilities found. === Module Results === Vulnerability #1: GO-2024-3321 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2024-3321 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.29.0 Fixed in: golang.org/x/crypto@v0.31.0 Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities.
  https://f2.tchncs.de/media_attachments/files/113/642/153/239/018/211/original/f6b311c4e4b6ed37.png