Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

CVE-2024-0406 Archiver Path Traversal vulnerability #404

Open
earl-warren opened this issue Jun 5, 2024 · 7 comments
Open

CVE-2024-0406 Archiver Path Traversal vulnerability #404

earl-warren opened this issue Jun 5, 2024 · 7 comments
Labels
v3-deprecated v3 (no longer developed)

Comments

@earl-warren
Copy link

earl-warren commented Jun 5, 2024

https://pkg.go.dev/vuln/GO-2024-2698 was published today and makes https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck fail.

@earl-warren
Copy link
Author

that's only if using 3.5.1, 3.5.2 is good GHSA-rhh4-rh7c-7r5v

@earl-warren
Copy link
Author

But 3.5.2 is not released yet, it is only available in a fork

@earl-warren earl-warren reopened this Jun 5, 2024
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
(cherry picked from commit 3bfec27)

Conflicts:
	go.sum
	trivial context conflict
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
(cherry picked from commit 3bfec27)

Conflicts:
	go.sum
	trivial context conflict
@viceice
Copy link

viceice commented Jul 5, 2024

@mholt Any chance to publish a v3.5.2 as fix?

@rathinikunj
Copy link

@mholt I am also looking for the fix of this CVE. Any chance we are going to publish v3.5.2 this week?

@rpmoore
Copy link

rpmoore commented Jul 23, 2024

I'd also like to see a release of this. Our build is failing with govulncheck because of this.

@rathinikunj
Copy link

@mholt Just checking in again to know if you plan to release the CVE-free version soon.

@ddhawal
Copy link

ddhawal commented Oct 16, 2024

@mholt Just rechecking if we will get CVE-free version any time soon?

@mholt mholt added the v3-deprecated v3 (no longer developed) label Nov 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
v3-deprecated v3 (no longer developed)
Projects
None yet
Development

No branches or pull requests

6 participants