fix: CVE-2022-32149 (!171) · Merge requests · GitLab.org / labkit

Alessio Caiazza requested to merge CVE-2022-32149 into master Oct 14, 2022

golang.org/x/text v0.3.8 has been released to address CVE-2022-32149.

Because this is an indirect dependency go mod tidy must now run in 1.17 compatibility mode as go.sum cannot generate the same dependency graph on go <= 1.16.

From https://go.dev/ref/mod#graph-pruning

Because Go 1.16 and earlier did not support module graph pruning, the full transitive closure of dependencies — including transitive go 1.17 dependencies — is still included for each module that specifies go 1.16 or lower. (At go 1.16 and below, the go.mod file includes only direct dependencies, so a much larger graph must be loaded to ensure that all indirect dependencies are included.) The go.sum file recorded by go mod tidy for a module by default includes checksums needed by the Go version one below the version specified in its go directive. So a go 1.17 module includes checksums needed for the full module graph loaded by Go 1.16, but a go 1.18 module will include only the checksums needed for the pruned module graph loaded by Go 1.17. The -compat flag can be used to override the default version (for example, to prune the go.sum file more aggressively in a go 1.17 module).

Release announcement: https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ 182717c2

Edited Oct 14, 2022 by Alessio Caiazza

fix: CVE-2022-32149

Merge request reports