Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump go-yaml version to cover fixed ddos heuristic #362

Merged
merged 1 commit into from
Oct 17, 2019

Conversation

petrkotas
Copy link
Contributor

This PR bumbs go-yaml to v2.2.4, which has the ddos vulnerability fixed.

Issue:
go-yaml preceding 2.2.4 had vulnerability to ddos attack via billion laughs bomb.
Such attack lead to program to be unresponsive.
Issue has been described in https://raesene.github.io/blog/2019/10/15/From-stackoverflow-to-CVE/

@blgm
Copy link
Collaborator

blgm commented Oct 17, 2019

Hi @petrkotas. Thank you for submitting this. I notice that go.mod now has the line go 1.13. We want people on all supported versions of Go to be able to use Gomega, and I'm concerned that this might cause problems for people using older supported versions of Go. Would you mind removing that line? I realise that it was added automatically.

go-yaml preceding 2.2.4 had vulnerability to ddos
attack via billion laughs bomb.
Such attack lead to program to be unresponsive.

Signed-off-by: Petr Kotas <petr.kotas@gmail.com>
@petrkotas
Copy link
Contributor Author

Hi @blgm of course, sorry for that. Honestly I did not realised it is there since vscode keep adding this to my go.mod everywhere.

@blgm
Copy link
Collaborator

blgm commented Oct 17, 2019

Thank you @petrkotas!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants