govulncheck: run from a container #1219
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,46 +4,58 @@ ignored-vulnerabilities: | |
| # Fixed in: crypto/x509@go1.24.8 | ||
| - id: GO-2025-4013 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4013 | ||
| silence-until: 2026-01-03 | ||
| # Lack of limit when parsing cookies can cause memory exhaustion in net/http | ||
| # Found in: net/http@go1.23.12 | ||
| # Fixed in: net/http@go1.24.8 | ||
| - id: GO-2025-4012 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4012 | ||
| silence-until: 2026-01-03 | ||
| # Parsing DER payload can cause memory exhaustion in encoding/asn1 | ||
| # Found in: encoding/asn1@go1.23.12 | ||
| # Fixed in: encoding/asn1@go1.24.8 | ||
| - id: GO-2025-4011 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4011 | ||
| silence-until: 2026-01-03 | ||
| # Insufficient validation of bracketed IPv6 hostnames in net/url | ||
| # Found in: net/url@go1.23.12 | ||
| # Fixed in: net/url@go1.24.8 | ||
| - id: GO-2025-4010 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4010 | ||
| silence-until: 2026-01-03 | ||
| # Quadratic complexity when parsing some invalid inputs in encoding/pem | ||
| # Found in: encoding/pem@go1.23.12 | ||
| # Fixed in: encoding/pem@go1.24.8 | ||
| - id: GO-2025-4009 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4009 | ||
| silence-until: 2026-01-03 | ||
| # ALPN negotiation error contains attacker controlled information in crypto/tls | ||
| # Found in: crypto/tls@go1.23.12 | ||
| # Fixed in: crypto/tls@go1.24.8 | ||
| - id: GO-2025-4008 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4008 | ||
| silence-until: 2026-01-03 | ||
| # Quadratic complexity when checking name constraints in crypto/x509 | ||
| # Found in: crypto/x509@go1.23.12 | ||
| # Fixed in: crypto/x509@go1.24.9 | ||
| - id: GO-2025-4007 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4007 | ||
| silence-until: 2026-01-03 | ||
| # Excessive CPU consumption in ParseAddress in net/mail | ||
| # Found in: net/mail@go1.23.12 | ||
| # Fixed in: net/mail@go1.24.8 | ||
| - id: GO-2025-4006 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4006 | ||
| silence-until: 2026-01-03 | ||
| # Excessive resource consumption when printing error string for host certificate validation in crypto/x509 | ||
| # Found in: crypto/x509@go1.23.12 | ||
| # Fixed in: crypto/x509@go1.24.11 | ||
| - id: GO-2025-4155 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4155 | ||
| silence-until: 2026-01-03 | ||
|
Comment on lines
+50
to
+55
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: Summary: GO-2025-4155 (CVE-2025-61729) is an excessive-resource-consumption bug in crypto/x509: HostnameError.Error() could print an unbounded number of hosts using repeated string concatenation (quadratic runtime), allowing a malicious certificate to cause high CPU/memory use. Fixes limit the number of hosts and use strings.Builder. [1][2] Affected Go releases:
Fixed in:
References:
If you want, I can provide exact upgrade commands for your platform or scan a go.mod to show whether your codebase is affected. 🏁 Script executed: # Check if GO-2025-4155 appears elsewhere in the file
rg "GO-2025-4155" .govulncheck.yaml
# Also verify the file structure and list all vulnerability IDs
rg "^\s*- id: GO-" .govulncheck.yamlRepository: codeready-toolchain/host-operator Length of output: 210 🏁 Script executed: # Attempt to read the .govulncheck.yaml file directly without cloning
cat .govulncheck.yaml | rg "GO-2025-4155"Repository: codeready-toolchain/host-operator Length of output: 210 🏁 Script executed: # Try reading the file if it exists in the current context
fd "govulncheck.yaml" --exec cat {}Repository: codeready-toolchain/host-operator Length of output: 210 Add go1.25.5 to the fix version for GO-2025-4155. The vulnerability GO-2025-4155 is published and legitimate (CVE-2025-61729), but the entry is incomplete. The vulnerability is fixed in both go1.24.11 and go1.25.5; the YAML should reflect both versions. 🤖 Prompt for AI Agents |
||
| # Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 | ||
| # Found in: crypto/x509@go1.23.12 | ||
| # Fixed in: crypto/x509@go1.24.11 | ||
| - id: GO-2025-4175 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4175 | ||
| silence-until: 2026-01-03 | ||
|
Comment on lines
+56
to
+61
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: Summary: GO-2025-4175 (CVE-2025-61727) is a crypto/x509 bug where an excluded DNS name constraint in a certificate chain does not stop a leaf certificate from using a wildcard SAN (e.g., excluding test.example.com doesn’t block a leaf with SAN *.example.com). This can allow acceptance of certificates that should have been excluded. [1][2] Affected Go versions:
Fixes / Mitigation:
References:
GO-2025-4175 is a legitimate vulnerability, but the entry is incomplete. The vulnerability is verified as a real, published Go security issue (CVE-2025-61727) affecting crypto/x509 DNS name constraint validation with wildcard names. However, the entry only documents the fix for Go 1.24.11 and omits that this vulnerability also affects Go 1.25.0–1.25.4 and is fixed in Go 1.25.5. Update the entry to reflect all affected versions and fix versions for completeness. 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice catch 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks ;)