vexctl icon indicating copy to clipboard operation
vexctl copied to clipboard

Published 20 hours ago verified publisher icon openvex

Tag a new release to pick up fix for GO-2025-3485 already on main

Open jfkw opened this issue 8 months ago • 3 comments

It would be helpful to have a new tagged release, thanks for the recent progress. Release v0.3.0 is affected by GO-2025-3485. A fix is already on main via 1edbc4ee086b203cd9eeb1a0f4323b6b517f2ea1.

Thanks.

jfkw avatar Mar 13 '25 20:03 jfkw

Re-upping request to tag a release. v0.3.0 is reported by govulncheck to be affected by an open vulnerability, already fixed on main via be1d0d2143d99f13adb5cf107437ec6ee7af9bd2.

Running govulncheck on v0.3.0:

vexctl> git switch --detach v0.3.0
HEAD is now at c613023 Merge pull request #243 from openvex/dependabot/go_modules/all-37b3873216
vexctl> govulncheck .
=== Symbol Results ===

Vulnerability #1: GO-2025-3485
    DoS in go-jose Parsing in github.com/go-jose/go-jose
  More info: https://pkg.go.dev/vuln/GO-2025-3485
  Module: github.com/go-jose/go-jose/v3
    Found in: github.com/go-jose/go-jose/[email protected]
    Fixed in: github.com/go-jose/go-jose/[email protected]
    Example traces found:
      #1: pkg/attestation/attestation.go:145:35: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls jose.ParseSigned

  Module: github.com/go-jose/go-jose/v4
    Found in: github.com/go-jose/go-jose/[email protected]
    Fixed in: github.com/go-jose/go-jose/[email protected]
    Example traces found:
      #1: pkg/attestation/attestation.go:145:35: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls jose.ParseSignedCompact

Your code is affected by 1 vulnerability from 1 module.
This scan also found 6 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Re-running govulncheck on v0.3.0:

vexctl> git switch main
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
vexctl> govulncheck .
No vulnerabilities found.

jfkw avatar Apr 28 '25 21:04 jfkw

Any update on this? Could a maintainer please tag a new release that includes the version bumps for the affected packages? Thank you!

delsner avatar Jul 28 '25 13:07 delsner

We are making some improvements to the release process, we'll cut a new release this week!

puerco avatar Jul 30 '25 17:07 puerco