slievrly opened a new issue, #817: URL: https://github.com/apache/incubator-seata-go/issues/817
<!-- Please use this template while reporting a bug and provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner. Thanks! --> **What happened**: https://github.com/apache/incubator-seata-go/security/dependabot/22 https://github.com/apache/incubator-seata-go/security/dependabot/23 https://github.com/apache/incubator-seata-go/security/dependabot/26 https://github.com/apache/incubator-seata-go/security/dependabot/28 https://github.com/apache/incubator-seata-go/security/dependabot/29 === Symbol Results === Vulnerability #1: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.22.4 Fixed in: net/http/internal@go1.23.8 Example traces found: #1: pkg/compressor/deflate_compress.go:46:19: compressor.DeflateCompress.Decompress calls io.ReadAll, which eventually calls internal.chunkedReader.Read Vulnerability #2: GO-2025-3447 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2025-3447 Standard library Found in: crypto/internal/nistec@go1.22.4 Fixed in: crypto/internal/nistec@go1.22.12 Platforms: ppc64le Example traces found: #1: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls nistec.P256Point.ScalarBaseMult #2: pkg/compressor/zip_compress.go:51:22: compressor.Zip.Decompress calls io.Copy, which eventually calls nistec.P256Point.ScalarMult #3: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls mysql.connector.Connect, which eventually calls nistec.P256Point.SetBytes Vulnerability #3: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.22.4 Fixed in: crypto/x509@go1.22.11 Example traces found: #1: pkg/compressor/zip_compress.go:51:22: compressor.Zip.Decompress calls io.Copy, which eventually calls x509.Certificate.Verify #2: pkg/compressor/zip_compress.go:51:22: compressor.Zip.Decompress calls io.Copy, which eventually calls x509.Certificate.VerifyHostname #3: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls x509.HostnameError.Error #4: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls x509.MarshalPKCS1PrivateKey #5: pkg/rm/tcc/fence/handler/tcc_fence_wrapper_handler.go:221:30: handler.tccFenceWrapperHandler.DestroyLogCleanChannel calls sync.Once.Do, which eventually calls x509.ParseCertificate #6: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls x509.ParseCertificateRequest #7: pkg/rm/tcc/fence/handler/tcc_fence_wrapper_handler.go:221:30: handler.tccFenceWrapperHandler.DestroyLogCleanChannel calls sync.Once.Do, which eventually calls x509.ParseCertificates #8: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls x509.ParseECPrivateKey #9: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls x509.ParsePKCS1PrivateKey #10: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls ora.OracleConnector.Connect, which eventually calls x509.ParsePKCS8PrivateKey #11: pkg/datasource/sql/db.go:218:44: sql.DBResource.ConnectionForXA calls mysql.connector.Connect, which eventually calls x509.ParsePKIXPublicKey Vulnerability #4: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.17.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.ConnectionError.Error #2: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.ErrCode.String #3: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.FrameHeader.String #4: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.FrameType.String #5: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.ReadFrame #6: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteContinuation #7: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteData #8: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteHeaders #9: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WritePing #10: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteRSTStream #11: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteSettings #12: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteSettingsAck #13: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.Framer.WriteWindowUpdate #14: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.Setting.String #15: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.SettingID.String #16: pkg/discovery/etcd3.go:58:23: discovery.newEtcdRegistryService calls client.New, which eventually calls http2.SettingsFrame.ForeachSetting #17: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.StreamError.Error #18: pkg/compressor/zip_compress.go:51:22: compressor.Zip.Decompress calls io.Copy, which eventually calls http2.chunkWriter.Write #19: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.connError.Error #20: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.duplicatePseudoHeaderError.Error #21: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.headerFieldNameError.Error #22: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.headerFieldValueError.Error #23: pkg/rm/rm_remoting.go:129:63: rm.RMRemoting.RegisterResource calls http2.pseudoHeaderError.Error #24: pkg/datasource/sql/exec/select_for_update_executor.go:206:31: exec.SelectForUpdateExecutor.ExecWithValue calls fmt.Sprintf, which eventually calls http2.writeData.String **What you expected to happen**: **How to reproduce it (as minimally and precisely as possible)**: **Anything else we need to know?**: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org For additional commands, e-mail: notifications-h...@seata.apache.org
