Closed MyDogIsMyPersonality closed 5 months ago
Note that Go 1.22.2 is not the current latest version. That version is Go 1.22.3, released 10 days: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0. Go 1.22.3 includes fixes for CVE-2024-24787 and CVE-2024-24788, but you're referring to other CVEs.
CC @golang/vulndb. (Edit: I thought this bug was about govulncheck because it was mentioned, but I realize now that it's not clear without additional information.)
CVE 2023-29040 -> https://pkg.go.dev/vuln/GO-2023-1842 fixed in go1.20.5 CVE 2023-29402 -> https://pkg.go.dev/vuln/GO-2023-1839 fixed in go1.20.5 CVE 2023-29404 -> https://pkg.go.dev/vuln/GO-2023-1841 fixed in go1.20.5 CVE 2023-29403 -> https://pkg.go.dev/vuln/GO-2023-1840 fixed in go1.20.5 CVE 2023-39323 -> https://pkg.go.dev/vuln/GO-2023-2095 fixed in go1.21.2 CVE 2023-39325 -> https://pkg.go.dev/vuln/GO-2023-2102 fixed in go1.21.3 CVE 2023-44487 -> not found from pkg.go.dev/vuln. From Snyk https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327 it's an old issue CVE 2023-45285 -> https://pkg.go.dev/vuln/GO-2023-2383 fixed in go1.21.5
@MyDogIsMyPersonality I don't know what vuln scanner you are using, but can you please contact your vulnerability scanning service provider for this issue?
In addition, are you scanning Go binaries in your containers or source code? If you are scanning binaries, downloading a newer version of Go is not sufficient. Binaries need to be recompiled.
Timed out in state WaitingForInfo. Closing.
(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)
govulncheck version
go version (v1.22.2)
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes
Output of
go env
in your module/workspace:What did you do?
The following CVE's are still showing up in our container scans although they are reported as patched. We downloaded the latest go version (v1.22.2), but we still see the stdib CVEs being reported for latest golang version.
• CVE-2023-29405 patched ; • CVE-2023-29402 patch; • CVE-2023-29404 patch;
HIGH: • CVE-2023-29403 patch • CVE-2023-39323 info ; • CVE-2023-39325 info;
• CVE-2023-44487 info; • CVE-2023-45285 info;
What did you see happen?
CVE's noted above still show up in scans
What did you expect to see?
Scans showing these CVEs as remediated in latest version