Importing a vulnerable "github.com/btcsuite/btcd v0.21.0-beta" vulnerable library in the go.mod file as a require

[its-sachink]

Description

As per the NIST compliance https://nvd.nist.gov/vuln/detail/CVE-2022-44797 the current "github.com/btcsuite/btcd v0.21.0-beta" module is vulnerable. Also please note that this is a BETA release, so we need to replace it with the stable release.

Requesting to replace it with the version "https://github.com/btcsuite/btcd/releases/tag/v0.23.2" to fix this BUG.

Steps to reproduce the issue

Describe the results you received and expected

Requesting to replace the current "github.com/btcsuite/btcd v0.21.0-beta" module which is vulnerable, with the version "https://github.com/btcsuite/btcd/releases/tag/v0.23.2" to fix this BUG.

What version of nerdctl are you using?

v 1.0.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

No response

Host information

No response

[AkihiroSuda]

We are not using the affected files (https://github.com/btcsuite/btcd/pull/1896/files)

• go.mod: add a comment about indirect dependency on github.com/btcsuite/btcd/btcec (NOT bitcoin daemon itself) #1573

[its-sachink]

Thanks for confirming about the false positive @AkihiroSuda . Appreciate your clarficiation.

Regards,
Sachin Kesarkar.