Add issue template forms #1
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is to keep authd in line with the template used in our other projects
didrocks
approved these changes
Jul 18, 2023
Contributor
didrocks
left a comment
didrocks
left a comment
There was a problem hiding this comment.
How dare you? The tests are failing and it’s all due to your template changes ofc! :)
Ok ok, kidding :p
GabrielNagy
reviewed
Jul 18, 2023
GabrielNagy
reviewed
Jul 18, 2023
|
|
||
| Be careful with sensitive information and security vulnerabilities. In order to report bugs that could contain | ||
| sensitive information, use [Launchpad](https://bugs.launchpad.net/ubuntu/+source/authd/+filebug) instead. | ||
| On Ubuntu machines, you can use `ubuntu-bug libpam-aad` to collect relevant information. |
Contributor
There was a problem hiding this comment.
Same thing about the ubuntu-bug command
GabrielNagy
approved these changes
Jul 18, 2023
Contributor
GabrielNagy
left a comment
GabrielNagy
left a comment
There was a problem hiding this comment.
Had a minor comment otherwise 👍
Using yaml forms provide a more guided (and overall best) experience for users to report issues and suggest new features for the project.
denisonbarbosa
force-pushed
the
add-issue-template-forms
branch
from
bcd0659 to
588b469
Compare
jibel
added a commit
that referenced
this pull request
May 9, 2024
Bump Go to 1.22.3 Fixes Vulnerability #1: GO-2024-2824 Malformed DNS message can cause infinite loop in net More info: https://pkg.go.dev/vuln/GO-2024-2824 Standard library Found in: net@go1.22.2 Fixed in: net@go1.22.3
jibel
added a commit
that referenced
this pull request
May 9, 2024
Bump Go to 1.22.3 Fixes Vulnerability #1: GO-2024-2824 Malformed DNS message can cause infinite loop in net More info: https://pkg.go.dev/vuln/GO-2024-2824 Standard library Found in: net@go1.22.2 Fixed in: net@go1.22.3
3v1n0
referenced
this pull request
in 3v1n0/authd
Jun 5, 2024
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
3v1n0
referenced
this pull request
in 3v1n0/authd
Jun 5, 2024
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
3v1n0
added a commit
that referenced
this pull request
Jun 5, 2024
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
3v1n0
referenced
this pull request
in 3v1n0/authd
Jun 16, 2024
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
edibotopic
pushed a commit
that referenced
this pull request
Dec 3, 2024
Minor edits to TOC in how-to index.md
adombeck
added a commit
that referenced
this pull request
Jan 28, 2025
govulncheck reports the following vulnerability in crypto/x509@go1.23: Vulnerability #1: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Jan 28, 2025
govulncheck reports the following vulnerability in crypto/x509@go1.23: Vulnerability #1: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Jan 28, 2025
govulncheck reports the following vulnerability in crypto/x509@go1.23: Vulnerability #1: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Jan 30, 2025
govulncheck reports the following vulnerability in crypto/x509@go1.23: Vulnerability #1: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Feb 10, 2025
govulncheck reports the following vulnerability in nistec@go1.23.5: Vulnerability #1: GO-2025-3447 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2025-3447 Standard library Found in: crypto/internal/nistec@go1.23.5 Fixed in: crypto/internal/nistec@go1.23.6 Platforms: ppc64le
adombeck
added a commit
that referenced
this pull request
Apr 11, 2025
govulncheck reports the following vulnerability in go1.23.6 Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.6 Fixed in: net/http/internal@go1.23.8
3v1n0
added a commit
that referenced
this pull request
Apr 11, 2025
govulncheck reports the following vulnerability in go1.23.6 ``` Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.6 Fixed in: net/http/internal@go1.23.8 ```
3v1n0
added a commit
that referenced
this pull request
Apr 11, 2025
It seems that new go runtime fixed it, in fact the last vulnerability fix mentions the code using it: Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.6 Fixed in: net/http/internal@go1.23.8 Example traces found: Error: #1: pam/integration-tests/ssh_test.go:618:27: integration.safeBuffer.ReadFrom calls bytes.Buffer.ReadFrom, hich eventually calls internal.chunkedReader.Read Anyways even if that isn't fully related, -race works fine without it now, so drop unneeded code
adombeck
added a commit
that referenced
this pull request
Jan 21, 2026
govulncheck reports the following vulnerability:
Vulnerability #1: GO-2025-3787
May leak sensitive information in logs when processing malformed data in
github.com/go-viper/mapstructure
More info: https://pkg.go.dev/vuln/GO-2025-3787
Module: github.com/go-viper/mapstructure/v2
Found in: github.com/go-viper/mapstructure/v2@v2.2.1
Fixed in: github.com/go-viper/mapstructure/v2@v2.3.0
Dependabot doesn't create a PR which updates that dependency because
it's an indirect dependency.
adombeck
added a commit
that referenced
this pull request
Jan 21, 2026
govulncheck reports the following vulnerability in go1.24.4 Vulnerability #1: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: os/exec@go1.24.4 Fixed in: os/exec@go1.24.6 Example traces found: Error: #1: internal/testutils/dbus.go:59:28: testutils.StartSystemBusMock calls exec.CommandContext, which eventually calls exec.LookPath
adombeck
added a commit
that referenced
this pull request
Jan 21, 2026
govulncheck reports the following vulnerabilities in go1.24.6 Vulnerability #1: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Example traces found: Error: #1: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls http.Client.Do Vulnerability #3: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate, which eventually calls asn1.Unmarshal Vulnerability #4: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:68:33: himmelblau.ensureBrokerClientAppInitialized calls url.JoinPath Error: #2: internal/broker/broker.go:216:25: broker.Broker.connectToOIDCServer calls oidc.NewProvider, which eventually calls url.Parse Error: #3: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls url.ParseRequestURI Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls url.URL.Parse Vulnerability #5: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls pem.Decode Vulnerability #6: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: cmd/authd-oidc/daemon/daemon_test.go:399:14: daemon_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls tls.Dialer.DialContext Vulnerability #7: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #3: internal/testutils/provider.go:63:34: testutils.init#1 calls x509.CreateCertificate Error: #4: internal/broker/broker.go:170:43: broker.Broker.NewSession calls x509.MarshalPKIXPublicKey Error: #5: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate Error: #6: internal/providers/msentraid/msmock_test.go:331:42: msentraid_test.mockMSServer.handleDeviceEnrollmentRequest calls x509.ParseCertificateRequest Error: #7: internal/broker/helper_test.go:159:40: broker_test.encryptSecret calls x509.ParsePKIXPublicKey
adombeck
added a commit
that referenced
this pull request
Jan 21, 2026
govulncheck reports the following vulnerabilities in go1.24.9 Vulnerability #1: GO-2025-4175 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4175 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4155 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4155 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.VerifyHostname
adombeck
pushed a commit
that referenced
this pull request
Jan 22, 2026
Adds the CI skeleton for the project: Set up issue templates, CODEOWNERS, QA checks, tests and so on. UDENG-2037
adombeck
pushed a commit
that referenced
this pull request
Jan 22, 2026
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
adombeck
pushed a commit
that referenced
this pull request
Jan 22, 2026
Fixes Vulnerability #1: GO-2024-2963 Denial of service due to improper 100-continue handling in net/http More info: https://pkg.go.dev/vuln/GO-2024-2963 Standard library Found in: net/http@go1.22.4 Fixed in: net/http@go1.22.5
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports multiple vulnerabilities affecting Go versions before 1.23.5: Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23 Fixed in: net/http@go1.23.5 Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerability in nistec@go1.23.5: Vulnerability #1: GO-2025-3447 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2025-3447 Standard library Found in: crypto/internal/nistec@go1.23.5 Fixed in: crypto/internal/nistec@go1.23.6 Platforms: ppc64le
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerability in go1.24.1 Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.24.1 Fixed in: net/http/internal@go1.24.2
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerabilities in go1.24.2 Vulnerability #1: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.24.2 Fixed in: net/http@go1.24.4 Vulnerability #2: GO-2025-3750 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall More info: https://pkg.go.dev/vuln/GO-2025-3750 Standard library Found in: os@go1.24.2 Fixed in: os@go1.24.4 Platforms: windows
adombeck
pushed a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerabilities in go1.24.2 ``` Vulnerability #1: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.24.2 Fixed in: net/http@go1.24.4 Vulnerability #2: GO-2025-3750 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall More info: https://pkg.go.dev/vuln/GO-2025-3750 Standard library Found in: os@go1.24.2 Fixed in: os@go1.24.4 Platforms: windows ```
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerability:
Vulnerability #1: GO-2025-3787
May leak sensitive information in logs when processing malformed data in
github.com/go-viper/mapstructure
More info: https://pkg.go.dev/vuln/GO-2025-3787
Module: github.com/go-viper/mapstructure/v2
Found in: github.com/go-viper/mapstructure/v2@v2.2.1
Fixed in: github.com/go-viper/mapstructure/v2@v2.3.0
Dependabot doesn't create a PR which updates that dependency because
it's an indirect dependency.
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerability in go1.24.4 Vulnerability #1: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: os/exec@go1.24.4 Fixed in: os/exec@go1.24.6 Example traces found: Error: #1: internal/testutils/dbus.go:59:28: testutils.StartSystemBusMock calls exec.CommandContext, which eventually calls exec.LookPath
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerabilities in go1.24.6 Vulnerability #1: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Example traces found: Error: #1: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls http.Client.Do Vulnerability #3: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate, which eventually calls asn1.Unmarshal Vulnerability #4: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:68:33: himmelblau.ensureBrokerClientAppInitialized calls url.JoinPath Error: #2: internal/broker/broker.go:216:25: broker.Broker.connectToOIDCServer calls oidc.NewProvider, which eventually calls url.Parse Error: #3: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls url.ParseRequestURI Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls url.URL.Parse Vulnerability #5: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls pem.Decode Vulnerability #6: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: cmd/authd-oidc/daemon/daemon_test.go:399:14: daemon_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls tls.Dialer.DialContext Vulnerability #7: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #3: internal/testutils/provider.go:63:34: testutils.init#1 calls x509.CreateCertificate Error: #4: internal/broker/broker.go:170:43: broker.Broker.NewSession calls x509.MarshalPKIXPublicKey Error: #5: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate Error: #6: internal/providers/msentraid/msmock_test.go:331:42: msentraid_test.mockMSServer.handleDeviceEnrollmentRequest calls x509.ParseCertificateRequest Error: #7: internal/broker/helper_test.go:159:40: broker_test.encryptSecret calls x509.ParsePKIXPublicKey
adombeck
added a commit
that referenced
this pull request
Jan 22, 2026
govulncheck reports the following vulnerabilities in go1.24.9 Vulnerability #1: GO-2025-4175 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4175 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4155 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4155 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.VerifyHostname
adombeck
pushed a commit
that referenced
this pull request
Jan 23, 2026
Adds the CI skeleton for the project: Set up issue templates, CODEOWNERS, QA checks, tests and so on. UDENG-2037
adombeck
pushed a commit
that referenced
this pull request
Jan 23, 2026
Fixes Vulnerability #1: GO-2024-2887 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net@go1.21.0 Fixed in: net@go1.22.4
adombeck
pushed a commit
that referenced
this pull request
Jan 23, 2026
Fixes Vulnerability #1: GO-2024-2963 Denial of service due to improper 100-continue handling in net/http More info: https://pkg.go.dev/vuln/GO-2024-2963 Standard library Found in: net/http@go1.22.4 Fixed in: net/http@go1.22.5
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports multiple vulnerabilities affecting Go versions before 1.23.5: Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23 Fixed in: net/http@go1.23.5 Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23 Fixed in: crypto/x509@go1.23.5
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerability in nistec@go1.23.5: Vulnerability #1: GO-2025-3447 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2025-3447 Standard library Found in: crypto/internal/nistec@go1.23.5 Fixed in: crypto/internal/nistec@go1.23.6 Platforms: ppc64le
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerability in go1.24.1 Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.24.1 Fixed in: net/http/internal@go1.24.2
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerabilities in go1.24.2 Vulnerability #1: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.24.2 Fixed in: net/http@go1.24.4 Vulnerability #2: GO-2025-3750 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall More info: https://pkg.go.dev/vuln/GO-2025-3750 Standard library Found in: os@go1.24.2 Fixed in: os@go1.24.4 Platforms: windows
adombeck
pushed a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerabilities in go1.24.2 ``` Vulnerability #1: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.24.2 Fixed in: net/http@go1.24.4 Vulnerability #2: GO-2025-3750 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall More info: https://pkg.go.dev/vuln/GO-2025-3750 Standard library Found in: os@go1.24.2 Fixed in: os@go1.24.4 Platforms: windows ```
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerability:
Vulnerability #1: GO-2025-3787
May leak sensitive information in logs when processing malformed data in
github.com/go-viper/mapstructure
More info: https://pkg.go.dev/vuln/GO-2025-3787
Module: github.com/go-viper/mapstructure/v2
Found in: github.com/go-viper/mapstructure/v2@v2.2.1
Fixed in: github.com/go-viper/mapstructure/v2@v2.3.0
Dependabot doesn't create a PR which updates that dependency because
it's an indirect dependency.
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerability in go1.24.4 Vulnerability #1: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: os/exec@go1.24.4 Fixed in: os/exec@go1.24.6 Example traces found: Error: #1: internal/testutils/dbus.go:59:28: testutils.StartSystemBusMock calls exec.CommandContext, which eventually calls exec.LookPath
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerabilities in go1.24.6 Vulnerability #1: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Example traces found: Error: #1: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls http.Client.Do Vulnerability #3: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate, which eventually calls asn1.Unmarshal Vulnerability #4: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:68:33: himmelblau.ensureBrokerClientAppInitialized calls url.JoinPath Error: #2: internal/broker/broker.go:216:25: broker.Broker.connectToOIDCServer calls oidc.NewProvider, which eventually calls url.Parse Error: #3: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls url.ParseRequestURI Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls url.URL.Parse Vulnerability #5: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls pem.Decode Vulnerability #6: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Example traces found: Error: #1: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: cmd/authd-oidc/daemon/daemon_test.go:399:14: daemon_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write Error: #4: internal/broker/broker.go:471:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls tls.Dialer.DialContext Vulnerability #7: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Example traces found: Error: #1: internal/providers/msentraid/himmelblau/himmelblau.go:66:28: himmelblau.ensureBrokerClientAppInitialized calls sync.Once.Do, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #3: internal/testutils/provider.go:63:34: testutils.init#1 calls x509.CreateCertificate Error: #4: internal/broker/broker.go:170:43: broker.Broker.NewSession calls x509.MarshalPKIXPublicKey Error: #5: internal/testutils/provider.go:68:36: testutils.init#1 calls x509.ParseCertificate Error: #6: internal/providers/msentraid/msmock_test.go:331:42: msentraid_test.mockMSServer.handleDeviceEnrollmentRequest calls x509.ParseCertificateRequest Error: #7: internal/broker/helper_test.go:159:40: broker_test.encryptSecret calls x509.ParsePKIXPublicKey
adombeck
added a commit
that referenced
this pull request
Jan 23, 2026
govulncheck reports the following vulnerabilities in go1.24.9 Vulnerability #1: GO-2025-4175 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4175 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2025-4155 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4155 Standard library Found in: crypto/x509@go1.24.9 Fixed in: crypto/x509@go1.24.11 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.VerifyHostname
adombeck
added a commit
that referenced
this pull request
Jan 29, 2026
govulncheck reports the following vulnerabilities in go1.25.5 Vulnerability #1: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: Error: #1: internal/users/db/testutils.go:228:21: db.Z_ForTests_CreateDBFromDump calls sql.Open, which eventually calls url.ParseQuery Vulnerability #2: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: Error: #1: pam/integration-tests/ssh_test.go:720:30: integration.startSSHD calls httptest.NewServer, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd/daemon/daemon_test.go:248:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: internal/services/pam/pam_test.go:895:14: pam_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write
adombeck
added a commit
that referenced
this pull request
Jan 31, 2026
govulncheck reports the following vulnerabilities in go1.24.11 Vulnerability #1: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.24.11 Fixed in: net/url@go1.24.12 Example traces found: Error: #1: internal/broker/broker.go:482:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls url.ParseQuery Error: #2: internal/providers/msentraid/msmock_test.go:175:18: msentraid_test.mockMSServer.handleAuthorizeRequest calls url.URL.Query Vulnerability #2: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.24.11 Fixed in: crypto/tls@go1.24.12 Example traces found: Error: #1: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: cmd/authd-oidc/daemon/daemon_test.go:399:14: daemon_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write Error: #4: internal/broker/broker.go:482:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls tls.Dialer.DialContext
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is very similar to the ones we did in
aad-authandadsysto improve the issue reporting experience both for the users and us since it better guides the users towards providing the information we need.I left some
//TODOwildcards that we need to tend to once we decide exactly how the information will be displayed and how the users should collect them.