Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-rc7v-65v6-m2v3] go-mysql affected by go.uuid's Predictable UUID Identifiers #4990

Merged
merged 1 commit into from
Nov 8, 2024
Merged

[GHSA-rc7v-65v6-m2v3] go-mysql affected by go.uuid's Predictable UUID Identifiers #4990

merged 1 commit into from
Nov 8, 2024

Conversation

Fidget-Grep
Copy link

Updates

  • CVSS v3

Comments
I would like to suggest this advisory to be withdrawn, as I do not believe that CVE-2021-3538 affects any version of github.com/go-mysql-org/go-mysql.
The advisory for CVE-2021-3538 makes it clear that the vulnerability only affects the commits 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. It also mentions that this range of commits was never in a tagged release of satori/go.uuid.
Now, comparing the tags 1.4.0 and 1.5.0 in github.com/go-mysql-org/go-mysql we can see the commit that replaced github.com/satori/go.uuid with github.com/google/uuid. Looking at the go.mod file between versions, we can see that the version of github.com/satori/go.uuid used was 1.2.0, which is completely safe and not vulnerable to CVE-2021-3538. Searching previous versions of go.mod I cannot find any other versions of github.com/satori/go.uuid. Because of this, I have reason to believe that github.com/go-mysql-org/go-mysql was never using a vulnerable version of github.com/satori/go.uuid.

@github
Copy link
Collaborator

github commented Nov 6, 2024

Hi there @lance6716! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to Fidget-Grep/advisory-improvement-4990 November 6, 2024 23:32
@lance6716
Copy link

lance6716 commented Nov 7, 2024
edited
Loading

Thanks for checking, I mistakenly understood the affected versions of CVE-2021-3538. I'll withdrawn it.

update: I emailed GitHub support to withdraw it

@Fidget-Grep
Copy link
Author

Thanks Lance, it's understandable. Looks like apptainer/sif was confused about that too. Thanks for taking care of this.

@advisory-database advisory-database bot merged commit 67dddd4 into Fidget-Grep/advisory-improvement-4990 Nov 8, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @Fidget-Grep! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the Fidget-Grep-GHSA-rc7v-65v6-m2v3 branch November 8, 2024 17:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Fidget-Grep @github @lance6716