[GHSA-vrmr-f2qh-3hhf] Improper use of cryptographic key in wal-g

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.75k stars 336 forks source link

[GHSA-vrmr-f2qh-3hhf] Improper use of cryptographic key in wal-g #5002

Closed andrewpollock closed 2 weeks ago

andrewpollock commented 2 weeks ago

Updates

Affected products

Comments Fix versions for SEMVER compliance

shelbyc commented 2 weeks ago

Hi @andrewpollock, as in https://github.com/github/advisory-database/pull/5001, we set the vulnerable version range to < 1.1 because there is no version 1.1.0 on https://github.com/wal-g/wal-g or on https://pkg.go.dev/github.com/wal-g/wal-g. The fix commit is tagged with 1.1 and the release notes for version 1.1 mention the fix, so we're confident that < 1.1 is the correct VVR and 1.1 is the correct patched version.

andrewpollock commented 2 weeks ago

Hey @shelbyc 👋

Oh, interesting. I hadn't properly appreciated until now that this record is published with an ECOSYSTEM range type (so this version is fine as is) but OSV.dev is coercing all records with ranges for the Go ecosystem to SEMVER, which is where this becomes problematic.

Not your problem 😸

Sorry for the noise!