[GODRIVER-1748] CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2 Created: 10/Sep/20 Updated: 28/Oct/23 Resolved: 25/Sep/20 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | Core API |
| Affects Version/s: | 1.4.1 |
| Fix Version/s: | 1.4.2 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Nicholas Beenham | Assignee: | Divjot Arora (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
The latest of the mongo-go-driver imports 2 packages which in turn import gopkg.in/yaml.v2-v2.2.2, this has a vulnerability identified in https://nvd.nist.gov/vuln/detail/CVE-2019-11254 and first exposed in the kubernetes API - https://github.com/kubernetes/kubernetes/issues/89535 The 2 packages are: github.com/pelletier/go-toml@v1.4.0 github.com/stretchr/testify@v1.4.0 the current versions of both package are patched to a higher level of the yaml package. |
| Comments |
| Comment by Divjot Arora (Inactive) [ 25/Sep/20 ] |
|
nicholas_beenham@cable.comcast.com Once again, thanks for bringing this to our attention! It required some back and forth, but we've upgraded all required dependencies to ensure that we only depend on go-yaml v2.2.8 and higher. I've backported this work so it will be available in the upcoming 1.4.2 release. – Divjot |
| Comment by Githook User [ 25/Sep/20 ] |
|
Author: {'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}Message: This commit upgrades our direct aws-sdk-go, go-toml and testify |
| Comment by Githook User [ 25/Sep/20 ] |
|
Author: {'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}Message: This commit upgrades our direct aws-sdk-go, go-toml and testify |
| Comment by Divjot Arora (Inactive) [ 22/Sep/20 ] |
|
nicholas_beenham@cable.comcast.com Thanks for keeping us posted on the developments for this. I've opened https://github.com/mongodb/mongo-go-driver/pull/505 to upgrade our go-toml, testify, and aws-sdk-go dependencies. |
| Comment by Nicholas Beenham [ 22/Sep/20 ] |
|
https://github.com/aws/aws-sdk-go/blob/v1.34.28/go.mod You should be good now, the latest release has the updated package |
| Comment by Nicholas Beenham [ 19/Sep/20 ] |
|
Looks like the latest go-jmespath@0.4.0 has been updated, I think we'll see aws-sdk-go updated shortly.
|
| Comment by Divjot Arora (Inactive) [ 18/Sep/20 ] |
|
Thanks for the update. I'll keep an eye on it. Once that's merged, we'd have to wait for a new go-jmespath release and then ask for aws-sdk-go to upgrade to that release. I'm not really sure what the right state for this ticket is at this time because there's no work for us to do here, but I also don't want it to get lost in the backlog, so I'm going to leave it in "Investigating". I've subscribed to notifications on the go-jmespath PR so we can move forward once we see progress there. – Divjot |
| Comment by Nicholas Beenham [ 18/Sep/20 ] |
|
Someone beat me to to by half an hour! https://github.com/jmespath/go-jmespath/pull/55 there is a PR open to update based on the CVE. |
| Comment by Divjot Arora (Inactive) [ 18/Sep/20 ] |
|
nicholas_beenham@cable.comcast.com I think you'd have to reach out to github.com/jmespath/go-jmespath because v0.3.0 is the latest release of that module and it imports testify@v1.5.1, but testify's gopkg.in/yaml dependency wasn't bumped to v3 until v.1.6.0. |
| Comment by Nicholas Beenham [ 17/Sep/20 ] |
|
Thanks! I'm going to reach out to AWS and see what they are going to do about the SDK |
| Comment by Divjot Arora (Inactive) [ 16/Sep/20 ] |
|
Hi nicholas_beenham@cable.comcast.com, Thanks for reporting this vulnerability. I'm working on upgrading the packages, but am running into a dead end. I upgraded testify and go-toml to the most recent versions, but gopkg.in/yaml.v2 v2.2.2 still shows up in our go.sum. I then upgraded aws-sdk-go to its latest version (v1.34.25) as it relied on an older testify version. v1.2.2 of gopkg.in/yaml.v2 is still showing up in go.sum. Running "go mod graph" shows this chain: github.com/aws/aws-sdk-go@v1.34.25 -> github.com/jmespath/go-jmespath@v0.3.0 github.com/jmespath/go-jmespath@v0.3.0 github.com/stretchr/testify@v1.5.1 github.com/stretchr/testify@v1.5.1 gopkg.in/yaml.v2@v2.2.2 Do you know if this will still be problematic? If it helps, my work so far is at https://github.com/divjotarora/mongo-go-driver/tree/godriver1748-yaml-upgrade. |