github
commented
3 weeks ago Hi there @lance6716! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.
This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory
lance6716
Fidget-Grep
advisory-database[bot]
Updates
Comments I would like to suggest this advisory to be withdrawn, as I do not believe that CVE-2021-3538 affects any version of github.com/go-mysql-org/go-mysql. The advisory for CVE-2021-3538 makes it clear that the vulnerability only affects the commits 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. It also mentions that this range of commits was never in a tagged release of satori/go.uuid. Now, comparing the tags 1.4.0 and 1.5.0 in github.com/go-mysql-org/go-mysql we can see the commit that replaced github.com/satori/go.uuid with github.com/google/uuid. Looking at the
go.modfile between versions, we can see that the version of github.com/satori/go.uuid used was 1.2.0, which is completely safe and not vulnerable to CVE-2021-3538. Searching previous versions ofgo.modI cannot find any other versions of github.com/satori/go.uuid. Because of this, I have reason to believe that github.com/go-mysql-org/go-mysql was never using a vulnerable version of github.com/satori/go.uuid.