Upgrade golang.org/x/text to 0.3.8 #1453

tzimmermann · 2022-11-28T13:14:06Z

Describe the bug

The go team has fixed the vulnerability CVE-2022-32149 in v0.3.8 of golang.org/x/text here: golang/go#56152

It would be good to upgrade that indirect dep in this project, because security scanners are starting to report it to us:

usr/local/bin/yq (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH     │ v0.3.7            │ 0.3.8         │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│                   │                │          │                   │               │ takes a long time to parse complex tags                 │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-32149              │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

The text was updated successfully, but these errors were encountered:

mikefarah · 2022-12-17T00:53:48Z

Fixed in v4.30.6

tzimmermann added bug v4 labels Nov 28, 2022

mikefarah closed this as completed Dec 17, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade golang.org/x/text to 0.3.8 #1453

Upgrade golang.org/x/text to 0.3.8 #1453

tzimmermann commented Nov 28, 2022

mikefarah commented Dec 17, 2022

Upgrade golang.org/x/text to 0.3.8 #1453

Upgrade golang.org/x/text to 0.3.8 #1453

Comments

tzimmermann commented Nov 28, 2022

mikefarah commented Dec 17, 2022