[GODRIVER-2461] CVE-2021-38561 in golang.org/x/text Created: 16/Jun/22 Updated: 27/Jun/22 Resolved: 27/Jun/22 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Unknown |
| Reporter: | Ben Foster | Assignee: | Matt Dale |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
We are getting scan hits on Mongo tools (bsondump, mongodump, mongoexport, mongofiles, mongoimport, mongorestore, mongostat, and mongotop) for CVE-2021-38561 affecting golang.org/x/text v0.3.5.
This is fixed in golang.org/x/text v0.3.7
golang.org/x/text v0.3.5 is brought in transitively by the driver which then gets it via github.com/xdg-go/stringprep v1.0.2
github.com/xdg-go/stringprep v1.0.3 has been released specifically to address this CVE.
|
| Comments |
| Comment by Matt Dale [ 27/Jun/22 ] |
|
Hey bpfoster thanks for the additional information about the available github.com/xdg-go/stringprep update! This is a duplicate of existing ticket |
| Comment by Esha Bhargava [ 17/Jun/22 ] |
|
bpfoster Thank you for reporting this issue. We'll look into it and get back to you soon. |