Security flaw in dependency library for UUID generation

go-gorm / postgres

GORM PostgreSQL driver

MIT License

234 stars 123 forks source link

Security flaw in dependency library for UUID generation #139

Closed grafov closed 2 years ago

grafov commented 2 years ago

This library depend on github.com/jackc/pgx/v4 that in turn uses github.com/satori/go.uuid library (the proof is https://github.com/jackc/pgx/blob/v4.17.2/go.sum#L103). The library that used for uuid generation is not maintained anymore and have known security issue: https://github.com/satori/go.uuid/issues/120

The possible solution

Upgrade used library to pgx/v5 where the dependency to satori/go.uuid is completely absent.

perelin commented 1 year ago

Still no release (1.4.6) here? github.com/jackc/pgx/v4 was also somehow importing a vulnerable golang.org/x/crypto version, see https://www.cve.org/CVERecord?id=CVE-2020-9283 Seems to be fixed in github.com/jackc/pgx/v5