Please deploy update of v2 to https://pkg.go.dev/

[DSigmund]

After trying to use prometheus, which uses go-restful, we discovered a CRITICAL CVE:

Detecting gobinary vulnerabilities...

bin/prometheus (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

It here says, the Version 3.8.0 fixed the problem.

https://pkg.go.dev/github.com/emicklei/go-restful has the vulnerable version. Can you fix this for the v2?

Or am i seeing something wrong?

[emicklei]

i think you are right, I will see if the same fix can be applied to the v2 version

On Wed, Aug 17, 2022 at 19:07 Dominik Sigmund @.***> wrote:

After trying to use prometheus, which uses go-restful, we discovered a CRITICAL CVE:

Detecting gobinary vulnerabilities... bin/prometheus (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0 │ go-restful: Authorization Bypass Through User-Controlled Key │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │ └────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

It here says, the Version 3.8.0 fixed the problem.

https://pkg.go.dev/github.com/emicklei/go-restful has the vulnerable version. Can you fix this for the v2?

Or am i seeing something wrong?

— Reply to this email directly, view it on GitHub https://github.com/emicklei/go-restful/issues/508, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFHRDEC7WVFP3MPQJTFK6TVZUL47ANCNFSM562JFGSA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Met vriendelijke groet, Kind regards,

Ernest Micklei

Try out my music project Melrōse https://melrōse.org

[DSigmund]

Thank you very much :-)

On Wed, 17 Aug 2022, 19:59 Ernest Micklei, @.***> wrote:

i think you are right, I will see if the same fix can be applied to the v2 version

On Wed, Aug 17, 2022 at 19:07 Dominik Sigmund @.***> wrote:

After trying to use prometheus, which uses go-restful, we discovered a CRITICAL CVE:

Detecting gobinary vulnerabilities... bin/prometheus (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐

│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │

├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤

│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0 │ go-restful: Authorization Bypass Through User-Controlled Key │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │

└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

It here says, the Version 3.8.0 fixed the problem.

https://pkg.go.dev/github.com/emicklei/go-restful has the vulnerable version. Can you fix this for the v2?

Or am i seeing something wrong?

— Reply to this email directly, view it on GitHub https://github.com/emicklei/go-restful/issues/508, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAFHRDEC7WVFP3MPQJTFK6TVZUL47ANCNFSM562JFGSA>

. You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Met vriendelijke groet, Kind regards,

Ernest Micklei

Try out my music project Melrōse <https://melrōse.org https://xn--melrse-egb.org>

— Reply to this email directly, view it on GitHub https://github.com/emicklei/go-restful/issues/508#issuecomment-1218331518, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA2ELEQ5UIYONVNTRUA3GHLVZUSBNANCNFSM562JFGSA . You are receiving this because you authored the thread.Message ID: @.***>

[emicklei]

Hi, I checked and saw that I already cherry picked the changes into 2.16.0 See https://github.com/emicklei/go-restful/blob/master/CHANGES.md

[emicklei]

So how can I mark v2.16.0+incompatible as being a fixed version too?

[DSigmund]

i guess you may bump the version to e.g. v2.16.1+incompatible Then it should be resolved?

[emicklei]

Well, I thought the v2.16.0 would do it at the time. My guess is that some other tooling and public? registry out there needs to become aware of it. I assume such a registry is able to handle multiple major versions for a given library. How and where are the CVE issues created?

[DSigmund]

I am very sorry, i really dont know ...

[emicklei]

this says its ok now: https://nvd.nist.gov/vuln/detail/CVE-2022-1996

[DSigmund]

Great, thank you!