cool job many thx Chever John and shirui
On Thu, Jun 23, 2022 at 5:43 PM shirui zhao <zhaoth...@gmail.com> wrote: > It's fixed, thanks again for your feedback. > > — > Shirui Zhao > > > 2022年6月21日 21:33,shirui zhao <zhaoth...@gmail.com> 写道: > > > > Thanks for your feedback, I'll check it out. > > > > > >> 2022年6月21日 21:28,Chever John <cheverjonat...@gmail.com> 写道: > >> > >> Hi Community > >> > >> I have received an email for a security report that should be paid > >> attention to. So this is the main purpose for this email. > >> > >> Best regards > >> Chenwei Jiang > >> > >> ---------- Forwarded message --------- > >> From: 开源社区OSCS <supp...@mail.oscs1024.com> > >> Date: Tue, Jun 21, 2022 at 17:50 > >> Subject: apache/apisix-go-plugin-runner项目受到 2 个存在安全缺陷开源组件的影响 > >> To: cheverjonathan <cheverjonat...@gmail.com> > >> > >> > >> apache/apisix-go-plugin-runner 项目贡献者,您好: > >> > >> 当前不管是开源项目还是企业代码项目,都正在遭受来自开源社区的一些存在安全缺陷组件的影响。来自Synopsys OSSRA reports > >> 2021的开源安全调查报告显示,平均每个项目会引入55个存在安全缺陷的组件,平均每个项目受这些有缺陷的开源组件影响会导致161个漏洞。 > >> > >> OSCS 安全社区会关注一批开源项目,并主动去检测并提示项目存在的风险: > >> > >> - 提示这些开源项目的作者和贡献者,项目正在受到有安全缺陷的开源组件影响 > >> - 提示Star&Fork这些项目的开发者,他们可能也会受到这些存在安全缺陷的开源组件影响 > >> > >> 您好,因为 apache/apisix-go-plugin-runner 正在被 OSCS > 关注且受到有安全缺陷的组件影响,所以冒昧通过邮件提醒您。如果 > >> OSCS 安全社区的信息对您没有帮助,请点击取消退订 > >> < > https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D > > > >> ,我们会标记为暂不关心,后续不会再次提示您。 > >> > >> apache/apisix-go-plugin-runner 项目一共引入了 2 个有漏洞的缺陷组件,以下是部分主要信息: > >> > >> 完整报告: https://www.oscs1024.com/cd/1537361826717495296?sign=6c0aef6a > >> < > https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjBlZWUwYmEzM2Y2NDljYTY3ZTE5YWI5NGMxNDIzYjM4IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vY2QvMTUzNzM2MTgyNjcxNzQ5NTI5NiUzRnNpZ24lM0Q2YzBhZWY2YSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html > > > >> > >> 缺陷组件:github.com/miekg/dns@v1.0.14 - 直接引入 > >> > >> - 漏洞标题:miekg Go DNS package 安全特征问题漏洞 > >> - 影响描述:miekg Go DNS package是一款DNS服务器软件包。miekg Go DNS package > >> 1.1.25之前版本(用在CoreDNS > 1.6.6之前版本和其他产品)中存在安全漏洞,该漏洞源于程序没有正确生成随机数。攻击者可利用该漏洞伪造响应。 > >> - CVE编号:CVE-2019-19794 > >> - 国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-45898 > >> - 影响范围::(∞, 1.1.25) > >> - 最小修复版本:1.1.25 > >> - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> > >> github.com/miekg/dns@v1.0.14 > >> - 漏洞详情:https://www.oscs1024.com/hd/MPS-2019-16292 > >> < > https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjZiNzk2MTUxYThhZDk4ZTY1M2FmMWI0NGZkNGE3MDA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMTktMTYyOTIlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html > > > >> > >> 缺陷组件:github.com/dgrijalva/jwt-go@v3.2.0+incompatible - 直接引入 > >> > >> - 漏洞标题:jwt-go 安全漏洞 > >> - 影响描述:jwt-go是个人开发者的一个Go语言的JWT实现。jwt-go > >> 4.0.0-preview1之前版本存在安全漏洞。攻击者可利用该漏洞在使用[]string{} for > >> m[\"aud\"](规范允许)的情况下绕过预期的访问限制。 > >> - CVE编号:CVE-2020-26160 > >> - 国家漏洞库信息: > >> - 影响范围::(∞, 4.0.0-preview1) > >> - 最小修复版本:4.0.0-preview1 > >> - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> > >> github.com/dgrijalva/jwt-go@v3.2.0+incompatible > >> - 漏洞详情:https://www.oscs1024.com/hd/MPS-2020-13786 > >> < > https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjQzYzE3MTYyMzg2Y2IyNGI5M2Q1OGQ4NWQyOTBkOTA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMjAtMTM3ODYlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html > > > >> > >> 感谢您为开源生态健康发展做出的努力,在检测报告页中可以获得 OSCS 社区的安全徽章,放置在您的项目 README 中提升安全影响力: > >> > >> OSCS安全社区敬上 > >> > >> 祝您工作顺利,生活愉快 > >> 对此信息不感兴趣,不希望再次收到 > >> < > https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D > > > > > > -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix
