From e5e5fe1791fe53ddef4d6f9768a8dfef267c4c0f Mon Sep 17 00:00:00 2001 From: Tim King Date: Tue, 9 Jul 2024 10:57:44 -0700 Subject: [PATCH] data/reports: update GO-2024-2527 - data/reports/GO-2024-2527.yaml Updates golang/vulndb#2527 Fixes golang/vulndb#2952 Change-Id: I9026e48ff8f896fd653f3accb55fbe1f5c630a07 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597355 Reviewed-by: Tatiana Bradley LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-2527.json | 27 ++++++++++++++------------- data/reports/GO-2024-2527.yaml | 23 ++++++++++++++--------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/data/osv/GO-2024-2527.json b/data/osv/GO-2024-2527.json index 3caf5562..6be3ba87 100644 --- a/data/osv/GO-2024-2527.json +++ b/data/osv/GO-2024-2527.json @@ -3,16 +3,15 @@ "id": "GO-2024-2527", "modified": "0001-01-01T00:00:00Z", "published": "0001-01-01T00:00:00Z", - "withdrawn": "2024-07-01T15:21:57Z", "aliases": [ "GHSA-5x4g-q5rc-36jp" ], - "summary": "WITHDRAWN: Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3", - "details": "(This report has been withdrawn with reason: \"too many false positives\"). .\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: go.etcd.io/etcd/client/pkg/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.", + "summary": "Insecure ciphers are allowed by default in go.etcd.io/etcd", + "details": "The TLS ciphers list supported by etcd contains insecure cipher suites. Users may specify that an insecure cipher is used via “--cipher-suites” flag. A list of secure suites is used by default.", "affected": [ { "package": { - "name": "go.etcd.io/etcd/client/pkg/v3", + "name": "go.etcd.io/etcd", "ecosystem": "Go" }, "ranges": [ @@ -21,26 +20,28 @@ "events": [ { "introduced": "0" + }, + { + "fixed": "0.5.0-alpha.5.0.20221102000833-1f054980bc27" } ] } ], "ecosystem_specific": { + "imports": [ + { + "path": "go.etcd.io/etcd/pkg/tlsutil" + } + ], "custom_ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" - }, - { - "fixed": "3.3.23" - }, - { - "introduced": "3.4.0-rc.0" + "introduced": "3.2.22" }, { - "fixed": "3.4.10" + "fixed": "3.4.22" } ] } @@ -56,6 +57,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2527", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/reports/GO-2024-2527.yaml b/data/reports/GO-2024-2527.yaml index f030e3dc..30b3bc7c 100644 --- a/data/reports/GO-2024-2527.yaml +++ b/data/reports/GO-2024-2527.yaml @@ -1,14 +1,19 @@ id: GO-2024-2527 modules: - - module: go.etcd.io/etcd/client/pkg/v3 + - module: go.etcd.io/etcd + versions: + - fixed: 0.5.0-alpha.5.0.20221102000833-1f054980bc27 non_go_versions: - - fixed: 3.3.23 - - introduced: 3.4.0-rc.0 - - fixed: 3.4.10 - vulnerable_at: 3.5.14 -summary: 'WITHDRAWN: Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3' -description: '(This report has been withdrawn with reason: "too many false positives"). ' -withdrawn: 2024-07-01T15:21:57Z + - introduced: 3.2.22 + - fixed: 3.4.22 + vulnerable_at: 0.5.0-alpha.5.0.20220915004622-85b640cee793 + packages: + - package: go.etcd.io/etcd/pkg/tlsutil +summary: Insecure ciphers are allowed by default in go.etcd.io/etcd +description: |- + The TLS ciphers list supported by etcd contains insecure cipher suites. Users + may specify that an insecure cipher is used via “--cipher-suites” flag. A + list of secure suites is used by default. ghsas: - GHSA-5x4g-q5rc-36jp references: @@ -16,5 +21,5 @@ references: source: id: GHSA-5x4g-q5rc-36jp created: 2024-06-14T11:40:23.789526-04:00 -review_status: UNREVIEWED +review_status: REVIEWED unexcluded: EFFECTIVELY_PRIVATE