search

google / gopacket

Provides packet processing capabilities for Go
BSD 3-Clause "New" or "Revised" License
6.27k stars 1.12k forks source link

Found CVE-2020-14040 in current package #1182

Open adityasharma1912 opened 1 month ago

adityasharma1912 commented 1 month ago

gopacket is using an old version of x/net lib:

golang.org/x/net v0.0.0-20190620200207-3b0461eec859

which in turn uses the following libraries(saw dependencies using "go mod graph" command):

golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2 golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 golang.org/x/sys@v0.0.0-20190215142949-d0b11bdaac8a golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 golang.org/x/text@v0.3.0

Out of those: "golang.org/x/text@v0.3.0" has CVE-2020-14040 vulnerability

FeldrinH commented 1 month ago

This library is no longer maintained (see https://github.com/google/gopacket/issues/1016). Might be worth checking out https://github.com/gopacket/gopacket, which is a more actively maintained fork.

adityasharma1912 commented 1 month ago

thank you @FeldrinH