Bump package versions and the min Go versions to satisify govulncheck#437
Open
benjojo wants to merge 1 commit into
Open
Bump package versions and the min Go versions to satisify govulncheck#437benjojo wants to merge 1 commit into
benjojo wants to merge 1 commit into
Conversation
This commit fixes the below outputs of govulncheck $ govulncheck ./... === Symbol Results === Vulnerability mjl-#1: GO-2026-4986 Quadratic string concatentation in consumeComment in net/mail More info: https://pkg.go.dev/vuln/GO-2026-4986 Standard library Found in: net/mail@go1.26.2 Fixed in: net/mail@go1.26.3 Example traces found: mjl-#1: webmail/api.go:1682:30: webmail.recipientSecurity calls mail.AddressParser.Parse mjl-#2: message/addr.go:15:32: message.ParseAddressList calls mail.AddressParser.ParseList mjl-#3: message/part.go:494:19: message.parseEnvelope calls mail.Header.Date Vulnerability mjl-#2: GO-2026-4982 Bypass of meta content URL escaping causes XSS in html/template More info: https://pkg.go.dev/vuln/GO-2026-4982 Standard library Found in: html/template@go1.26.2 Fixed in: html/template@go1.26.3 Example traces found: mjl-#1: webapisrv/server.go:347:35: webapisrv.server.ServeHTTP calls template.Template.Execute Vulnerability mjl-#3: GO-2026-4980 Escaper bypass leads to XSS in html/template More info: https://pkg.go.dev/vuln/GO-2026-4980 Standard library Found in: html/template@go1.26.2 Fixed in: html/template@go1.26.3 Example traces found: mjl-#1: webapisrv/server.go:347:35: webapisrv.server.ServeHTTP calls template.Template.Execute Vulnerability mjl-#4: GO-2026-4977 Quadratic string concatenation in consumePhrase in net/mail More info: https://pkg.go.dev/vuln/GO-2026-4977 Standard library Found in: net/mail@go1.26.2 Fixed in: net/mail@go1.26.3 Example traces found: mjl-#1: webmail/api.go:1682:30: webmail.recipientSecurity calls mail.AddressParser.Parse mjl-#2: message/addr.go:15:32: message.ParseAddressList calls mail.AddressParser.ParseList Vulnerability mjl-#5: GO-2026-4976 ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil More info: https://pkg.go.dev/vuln/GO-2026-4976 Standard library Found in: net/http/httputil@go1.26.2 Fixed in: net/http/httputil@go1.26.3 Example traces found: mjl-#1: http/webserver.go:505:17: http.HandleForward calls httputil.ReverseProxy.ServeHTTP Vulnerability mjl-#6: GO-2026-4971 Panic in Dial and LookupPort when handling NUL byte on Windows in net More info: https://pkg.go.dev/vuln/GO-2026-4971 Standard library Found in: net@go1.26.2 Fixed in: net@go1.26.3 Example traces found: mjl-#1: ctl.go:52:23: mox.xctl calls net.Dial mjl-#2: sendmail.go:332:21: mox.cmdSendmail calls net.Dialer.Dial mjl-#3: dane/dane.go:248:31: dane.Dial calls net.Dialer.DialContext mjl-#4: mox-/lifecycle.go:97:23: mox.Listen calls net.Listen mjl-#5: dns/mock.go:97:23: dns.MockResolver.LookupPort calls net.LookupPort Vulnerability mjl-#7: GO-2026-4918 Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2026-4918 Module: golang.org/x/net Found in: golang.org/x/net@v0.39.0 Fixed in: golang.org/x/net@v0.53.0 Standard library Found in: net/http@go1.26.2 Fixed in: net/http@go1.26.3 Example traces found: mjl-#1: queue/hook.go:1262:28: queue.HookPost calls http.Client.Do mjl-#2: main.go:3527:28: mox.cmdWebapi calls http.PostForm mjl-#3: http/webserver.go:505:17: http.HandleForward calls httputil.ReverseProxy.ServeHTTP, which calls http.Transport.RoundTrip Vulnerability mjl-#8: GO-2026-4441 Infinite parsing loop in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2026-4441 Module: golang.org/x/net Found in: golang.org/x/net@v0.39.0 Fixed in: golang.org/x/net@v0.45.0 Example traces found: mjl-#1: message/preview.go:355:25: message.previewHTML calls html.Parse Vulnerability mjl-#9: GO-2026-4440 Quadratic parsing complexity in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2026-4440 Module: golang.org/x/net Found in: golang.org/x/net@v0.39.0 Fixed in: golang.org/x/net@v0.45.0 Example traces found: mjl-#1: message/preview.go:355:25: message.previewHTML calls html.Parse Your code is affected by 9 vulnerabilities from 1 module and the Go standard library. This scan also found 1 vulnerability in packages you import and 4 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit fixes the below outputs of govulncheck