>
I have found an Vulnerability found in v1.5.0 release .
>
vulnerability:GHSA-w32m-9786-jp63
This vulnerability appears to relate to
golang.org/x/net/html (see
the related issue), and I don't believe this is used in eclipse-paho/paho.mqtt.gola
ng. It's not uncommon for vulnerability scanners to flag any vulnerability in a dependency, regardless of whether the functionality in question is actually used (most vulnerabilities reported in x/net relate to its use in a server, whereas paho.mqtt.golang only acts as a client).
If you believe that this issue does impact paho.mqtt.golang then please feel free to email me the details (or
follow the security process noted below). Alternatively, if you are just reporting something that a tool flagged, please feel free to
raise an issue/PR in the repo.
Note that the process for reporting security vulnerabilities is
covered in the repo (
paho-dev@xxxxxxxxxxx is open to the public, so is not an ideal venue for discussions around security). If you believe you may have found an issue, but are unsure, then please also feel free to reach out to me; raising an issue on the repo is preferable to emailing this list (as it includes maintainers of all of the paho libraries, only a few of us work on the Go library).
>
Can you please reply with the next release date?
paho.mqtt.golang is a stable library (I don't think anyone is working on enhancements) so there are no releases scheduled (but fixing a security related issue would trigger one).
Matt
Hi Team,I have found an Vulnerability found in v1.5.0 release .repo: eclipse-paho/paho.mqtt.golangversion: v1.5.0released: July 2024Vulnerability:NAME : golang.org/x/netINSTALLED: v.0.27.0FIXED_IN : 0.33.0type : go modulevulnerability:GHSA-w32m-9786-jp63severity: High
The above vulnerability already fixed in the v0.33.0. So can you please update the
golang.org/x/net to 0.33.0 in go.mod file and Can you release new version.
And I can raise PR with fixed version if you want me to do it so that you can approve and merge the PR for next release to fix the vulnerability.
Can you please reply with the next release date?
Thank you to paho team.
Thanks,
Sudharsan