Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] Vulnerability found on v1.4.3
Hi,

GHSA-4374-p667-p6c8 is fixed by GO-2023-2102, "With the fix applied, HTTP/2 servers now bound the number of simultaneously...", so relates to HTTP/2 servers. The MQTT client does not create any HTTP/2 servers, so the issue does not appear to be relevant to the library.

As paho.mqtt.golang is stable, releases are infrequent. However it's been a year since the last release, so I will aim to make another in August (note that this release will require Go v1.20+).

Matt


On Tue, 30 Jul 2024 at 22:39, Sudarshan Reddy via paho-dev <paho-dev@xxxxxxxxxxx> wrote:
Hi Team,

I have found an Vulnerability found in v1.4.3 release and it has been fixed in the master branch. Just wanted to check when the new release was happening?
repo: eclipse/paho.mqtt.golang
version: v1.4.3
release: july 2023

Vulnerability:
NAME : golang.org/x/net
INSTALLED: v.0.10.0
FIXED_IN : 0.17.0
type : go module
vulnerability:GHSA-4374-p667-p6c8
severity: High

Can you please reply with the next release date?

Thanks,
Sudharsan
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/paho-dev

Back to the top