Skip to content

Update x/text to 0.3.8 #1571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
meatballhat merged 1 commit into from
Nov 8, 2022
Merged

Update x/text to 0.3.8 #1571

meatballhat merged 1 commit into from
Nov 8, 2022

Conversation

@dirkmueller
Copy link

@dirkmueller dirkmueller commented Nov 8, 2022

What type of PR is this?

  • cleanup

What this PR does / why we need it:

New version of x/text needed to avoid security scanners flagging this code
as vulnerable.

Also run go mod tidy.

Testing

Not tested.

@dirkmueller
Update x/text to 0.3.8
2ec39a1 
This fixes a vulnerability in 0.3.7. Also remove unnecessary indirect
dependency on the parent module.

┌───────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│      Library      │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├───────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149      │ HIGH     │ 0.3.7             │ 0.3.8         │ golang: golang.org/x/text/language: ParseAcceptLanguage  │
│                   │                     │          │                   │               │ takes a long time to parse complex tags                  │
│                   │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-32149               │
│                   ├─────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────┤
│                   │ GHSA-69ch-w2m2-3vjp │ UNKNOWN  │                   │               │ An attacker may cause a denial of service by crafting an │
│                   │                     │          │                   │               │ Accept-Language...                                       │
│                   │                     │          │                   │               │ GHSA-69ch-w2m2-3vjp        │
└───────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
@dirkmueller dirkmueller requested a review from a team as a code owner November 8, 2022 13:22
@abitrolly
Copy link
Contributor

abitrolly commented Nov 8, 2022

Fixes this vulnerability https://osv.dev/vulnerability/GO-2022-1059

How about updating to 0.4.0? Which drops Go 1.2 compatibility golang/text@v0.3.8...v0.4.0

@meatballhat meatballhat added this to the Release 3.x milestone Nov 8, 2022
@meatballhat meatballhat changed the base branch from main to v2-maint November 8, 2022 20:15
@meatballhat
Copy link
Member

meatballhat commented Nov 8, 2022

FYI I'm going to merge this to v2-maint and then follow up with a bump to v0.4.0 as suggested by @abitrolly

@meatballhat meatballhat merged commit 61efca6 into urfave:v2-maint Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dearchap dearchap dearchap approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 2.x

Development

Successfully merging this pull request may close these issues.

4 participants

@dirkmueller @abitrolly @meatballhat @dearchap