Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-0406 Archiver Path Traversal vulnerability #404

Open
earl-warren opened this issue Jun 5, 2024 · 7 comments
Open

CVE-2024-0406 Archiver Path Traversal vulnerability #404

earl-warren opened this issue Jun 5, 2024 · 7 comments

Comments

@earl-warren
Copy link

earl-warren commented Jun 5, 2024

https://pkg.go.dev/vuln/GO-2024-2698 was published today and makes https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck fail.

@earl-warren
Copy link
Author

that's only if using 3.5.1, 3.5.2 is good GHSA-rhh4-rh7c-7r5v

@earl-warren
Copy link
Author

But 3.5.2 is not released yet, it is only available in a fork

@earl-warren earl-warren reopened this Jun 5, 2024
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
(cherry picked from commit 3bfec27)

Conflicts:
	go.sum
	trivial context conflict
DennisRasey pushed a commit to DennisRasey/forgejo that referenced this issue Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: mholt/archiver#404
(cherry picked from commit 3bfec27)

Conflicts:
	go.sum
	trivial context conflict
@viceice
Copy link

viceice commented Jul 5, 2024

@mholt Any chance to publish a v3.5.2 as fix?

@rathinikunj
Copy link

@mholt I am also looking for the fix of this CVE. Any chance we are going to publish v3.5.2 this week?

@rpmoore
Copy link

rpmoore commented Jul 23, 2024

I'd also like to see a release of this. Our build is failing with govulncheck because of this.

@rathinikunj
Copy link

@mholt Just checking in again to know if you plan to release the CVE-free version soon.

@ddhawal
Copy link

ddhawal commented Oct 16, 2024

@mholt Just rechecking if we will get CVE-free version any time soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants