[GODRIVER-2461] CVE-2021-38561 in golang.org/x/text Created: 16/Jun/22  Updated: 27/Jun/22  Resolved: 27/Jun/22

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Unknown
Reporter: Ben Foster Assignee: Matt Dale
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates GODRIVER-2447 Update golang.org/x/text to 0.3.7 or ... Closed

 Description   

We are getting scan hits on Mongo tools (bsondump, mongodump, mongoexport, mongofiles, mongoimport, mongorestore, mongostat, and mongotop) for CVE-2021-38561 affecting golang.org/x/text v0.3.5.

 

This is fixed in golang.org/x/text v0.3.7

 

golang.org/x/text v0.3.5 is brought in transitively by the driver which then gets it via github.com/xdg-go/stringprep v1.0.2

 

github.com/xdg-go/stringprep v1.0.3 has been released specifically to address this CVE.

 



 Comments   
Comment by Matt Dale [ 27/Jun/22 ]

Hey bpfoster thanks for the additional information about the available github.com/xdg-go/stringprep update! This is a duplicate of existing ticket GODRIVER-2447 which is currently in-progress. I'm closing this ticket, but please watch GODRIVER-2447 for updates. That fix is scheduled for release with the v1.9.2 and v1.10.0 drivers.

Comment by Esha Bhargava [ 17/Jun/22 ]

bpfoster Thank you for reporting this issue. We'll look into it and get back to you soon.

Generated at Thu Feb 08 08:38:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.