Skip to content

x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx #368

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Mar 24, 2022 · 5 comments
Closed

x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx #368

GoVulnBot opened this issue Mar 24, 2022 · 5 comments
Assignees
@neild
Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-gv9j-4w24-q7vx, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/coredns/coredns 1.6.6 < 1.6.6

See doc/triage.md for instructions on how to triage this report.

package: github.com/coredns/coredns
versions:
  - introduced: v0.0.0
    fixed: v1.6.6
description: |
    ### Impact

    CoreDNS before 1.6.6 (using go DNS package < 1.1.25) improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

    ### Patches
    The problem has been fixed in 1.6.6+.

    ### References
    - [CVE-2019-19794](https://nvd.nist.gov/vuln/detail/CVE-2019-19794)

    ### For more information
    Please consult [our security guide](https://github.com/coredns/coredns/blob/master/.github/SECURITY.md) for more information regarding our security process.
published: 2022-03-01T21:03:11Z
last_modified: 2022-03-01T22:49:13Z
ghsas:
  - GHSA-gv9j-4w24-q7vx
@neild neild assigned neild and unassigned rolandshoemaker Jul 13, 2022
@neild
Copy link
Contributor

neild commented Jul 13, 2022

Vulnerability in tool.

@neild neild closed this as completed Jul 13, 2022
@julieqiu julieqiu changed the title x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx and CVE-2019-19794 Aug 1, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@tatianab tatianab added excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Nov 18, 2022
@tatianab
Copy link
Contributor

Downstream of #8

@tatianab tatianab changed the title x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx and CVE-2019-19794 x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx Nov 18, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/451280 mentions this issue: data/excluded: reclassify GO-2022-0368.yaml as dependent

gopherbot pushed a commit that referenced this issue Nov 18, 2022
@tatianab
data/excluded: reclassify GO-2022-0368.yaml as dependent
cf2c79e 
GO-2022-0368 is dependent on GO-2020-0008. Remove the CVE, which actually
refers to the upstream vuln, and re-classify as DEPENDENT_VULNERABILITY.

Aliases: GHSA-gv9j-4w24-q7vx

Updates #368, #8

Change-Id: Ide59a0ef1c529d66fb5511cafeea9559b372ca07
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451280
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
This was referenced Mar 4, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 25, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (15)
229cf45 
  - data/reports/GO-2022-0367.yaml
  - data/reports/GO-2022-0368.yaml
  - data/reports/GO-2022-0369.yaml
  - data/reports/GO-2022-0372.yaml
  - data/reports/GO-2022-0374.yaml
  - data/reports/GO-2022-0375.yaml
  - data/reports/GO-2022-0377.yaml
  - data/reports/GO-2022-0378.yaml
  - data/reports/GO-2022-0381.yaml
  - data/reports/GO-2022-0387.yaml
  - data/reports/GO-2022-0388.yaml
  - data/reports/GO-2022-0389.yaml
  - data/reports/GO-2022-0390.yaml
  - data/reports/GO-2022-0392.yaml
  - data/reports/GO-2022-0393.yaml
  - data/reports/GO-2022-0395.yaml
  - data/reports/GO-2022-0396.yaml
  - data/reports/GO-2022-0398.yaml
  - data/reports/GO-2022-0405.yaml
  - data/reports/GO-2022-0406.yaml

Updates #367
Updates #368
Updates #369
Updates #372
Updates #374
Updates #375
Updates #377
Updates #378
Updates #381
Updates #387
Updates #388
Updates #389
Updates #390
Updates #392
Updates #393
Updates #395
Updates #396
Updates #398
Updates #405
Updates #406

Change-Id: I001f245aa4d9225668c2b30e3d5b4ca7a7e9b3b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607217
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
This was referenced Sep 18, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @rolandshoemaker @tatianab @gopherbot @GoVulnBot