discordgo
discordgo copied to clipboard
bwmarrin
Update golang.org/x/crypto to v0.22.0 and Minimum Go Version to 1.18 to Address Security Vulnerabilities
Please update the golang.org/x/crypto package to version 0.22.0 and raise the minimum Go version to 1.18.
These changes are needed to address several high and moderate severity security vulnerabilities, specifically CVE-2021-43565, CVE-2022-27191, CVE-2023-48795, and CVE-2022-29526, which were present in the previously used version of the crypto package.
Updating ensures that the DiscordGo library remains secure and up-to-date with the latest security patches and features.
The Go version in CI workflows needs updating to support versions from 1.18 through 1.22, maintaining compatibility with current Go releases.
A minimum version of Go >= 1.18.2 is required to fully address all vulnerabilities listed.
Vulnerabilities covered:
- CVE-2021-43565
- Severity:
HIGH - Package: golang.org/x/crypto from 0.0.0-20210421170649-83a5a9bb288b
- Advisory: https://github.com/advisories/GHSA-gwc9-m7rh-j2ww
- Severity:
- CVE-2022-27191
- Severity:
HIGH - Package: golang.org/x/crypto from 0.0.0-20210421170649-83a5a9bb288b
- Advisory: https://github.com/advisories/GHSA-8c26-wmh5-6g9v
- Severity:
- CVE-2023-48795
- Severity:
Moderate - Package: golang.org/x/crypto from 0.0.0-20210421170649-83a5a9bb288b
- Advisory: https://github.com/advisories/GHSA-45x7-px36-x8w8
- Severity:
- CVE-2022-29526
- Severity:
Moderate - Package: go < 1.18.2 via golang.org/x/sys/unix
- Advisory: https://github.com/advisories/GHSA-p782-xgp4-8hr8
- Severity:
Validation Steps Proposed:
-
go mod tidy -
diff <(gofmt -d .) <(echo -n) -
go vet -x ./... -
golint -set_exit_status ./... -
go test -v -race ./...
Originally Proposed PR: https://github.com/bwmarrin/discordgo/pull/1528
