Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability of dependency "golang.org/x/image" #438

Open
Silence-worker-02 opened this issue Jul 13, 2023 · 3 comments
Open

Vulnerability of dependency "golang.org/x/image" #438

Silence-worker-02 opened this issue Jul 13, 2023 · 3 comments
Assignees
@LinkinStars

Comments

@Silence-worker-02
Copy link

Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that it contains a vulnerability (CVE-2022-41727). In your project, the github.com/golang/image package is being used at version golang.org/x/image v0.1.0, but the patched version is v0.5.0. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v0.5.0 or higher. Thank you for your attention to this matter.
@Silence-worker-02
Copy link
Author

Silence-worker-02 commented Jul 14, 2023
edited
Loading

We also came across your project and noticed that it contains a vulnerability (CVE-2023-26125). In your project, the github.com/gin-gonic/gin package is being used at version github.com/gin-gonic/gin v1.8.1, but the patched version is v1.9.0. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v1.9.0 or higher. Thank you for your attention to this matter.

@LinkinStars LinkinStars added this to the v1.1.3 milestone Aug 25, 2023
@LinkinStars
Copy link
Member

Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that it contains a vulnerability (CVE-2022-41727). In your project, the github.com/golang/image package is being used at version golang.org/x/image v0.1.0, but the patched version is v0.5.0. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v0.5.0 or higher. Thank you for your attention to this matter.

@Silence-worker-02 Caused by third-party libraries not updating their dependencies. However, answer does not support tiff format images, so the security risk is not high. If PR is merged, we will update it immediately. disintegration/imaging#158

@LinkinStars
Copy link
Member

We also came across your project and noticed that it contains a vulnerability (CVE-2023-26125). In your project, the github.com/gin-gonic/gin package is being used at version github.com/gin-gonic/gin v1.8.1, but the patched version is v1.9.0. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v1.9.0 or higher. Thank you for your attention to this matter.

Done.

@fenbox fenbox removed this from the v1.1.3 milestone Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LinkinStars LinkinStars

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fenbox @LinkinStars @Silence-worker-02