Closed alexopenline closed 10 months ago
Thank you for sharing this @alexopenline, we will look at this ASAP.
All three CVEs involve processing an image: decoding a TIFF image. Even if you are storing TIFF images as events in EventStoreDB, it wouldn’t call the code mentioned in the CVEs.
However a client application that’s decoding a TIFF image from an event could be at risk. In such a case, the onus is on the app developer to use the later version of Go’s TIFF dependency you mention.
We are currently using the October 16 version of this rpc
dependency. The Oct 16, Oct 30 and Nov 6 versions of rpc
do not mention this as a security issue.
Thanks.
Exposed vulnerabilities:
Introduced through: google.golang.org/genproto/googleapis/rpc@v0.0.0-20231016165738-49dd2c1f3d0b Fixed in: golang.org/x/image/tiff@0.10.0