Re: [paho-dev] Vulnerability found on v1.5.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [paho-dev] Vulnerability found on v1.5.0

From: Matt Brittan <matt@xxxxxxxxxx>
Date: Thu, 16 Jan 2025 11:01:06 +1300
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/paho-dev/>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>

> I have found an Vulnerability found in v1.5.0 release .

> vulnerability:GHSA-w32m-9786-jp63

This vulnerability appears to relate to golang.org/x/net/html (see the related issue), and I don't believe this is used in eclipse-paho/paho.mqtt.golang. It's not uncommon for vulnerability scanners to flag any vulnerability in a dependency, regardless of whether the functionality in question is actually used (most vulnerabilities reported in x/net relate to its use in a server, whereas paho.mqtt.golang only acts as a client).

If you believe that this issue does impact paho.mqtt.golang then please feel free to email me the details (or follow the security process noted below). Alternatively, if you are just reporting something that a tool flagged, please feel free to raise an issue/PR in the repo.

Note that the process for reporting security vulnerabilities is covered in the repo (paho-dev@xxxxxxxxxxx is open to the public, so is not an ideal venue for discussions around security). If you believe you may have found an issue, but are unsure, then please also feel free to reach out to me; raising an issue on the repo is preferable to emailing this list (as it includes maintainers of all of the paho libraries, only a few of us work on the Go library).

> Can you please reply with the next release date?

paho.mqtt.golang is a stable library (I don't think anyone is working on enhancements) so there are no releases scheduled (but fixing a security related issue would trigger one).

Matt

On Thu, 16 Jan 2025 at 09:49, Sudarshan Reddy <moramsudarshan@xxxxxxxxx> wrote:

Hi Team,

I have found an Vulnerability found in v1.5.0 release .
repo: eclipse-paho/paho.mqtt.golang
version: v1.5.0
released: July 2024

Vulnerability:
NAME : golang.org/x/net
INSTALLED: v.0.27.0
FIXED_IN : 0.33.0
type : go module
vulnerability:GHSA-w32m-9786-jp63
severity: High

The above vulnerability already fixed in the v0.33.0. So can you please update the golang.org/x/net to 0.33.0 in go.mod file and Can you release new version.
And I can raise PR with fixed version if you want me to do it so that you can approve and merge the PR for next release to fix the vulnerability.

Can you please reply with the next release date?

Thank you to paho team.

Thanks,
Sudharsan

References:
- [paho-dev] Vulnerability found on v1.5.0
  - From: Sudarshan Reddy

Prev by Date: [paho-dev] Vulnerability found on v1.5.0
Next by Date: [paho-dev] python: implicit loop_stop on disconnect, multiple clients, watchdogs
Previous by thread: [paho-dev] Vulnerability found on v1.5.0
Next by thread: [paho-dev] python: implicit loop_stop on disconnect, multiple clients, watchdogs
Index(es):
- Date
- Thread

Breadcrumbs