这是indexloc提供的服务,不要输入任何密码
Skip to content

Please tag a new relaase due to several vulnerabilities already fixed in dev branch #1580

New issue
New issue
Closed
Closed
Please tag a new relaase due to several vulnerabilities already fixed in dev branch#1580
Assignees
dogancanbakir
@aylen384

Description

@aylen384
aylen384
opened on Apr 28, 2025
subfinder/v2> git switch --detach v2.7.0
subfinder/v2> govulncheck ./cmd/subfinder/
=== Symbol Results ===

Vulnerability #1: GO-2025-3638
    ServerHellos are accepted without checking TLS 1.3 downgrade canaries in
    github.com/refraction-networking/utls
  More info: https://pkg.go.dev/vuln/GO-2025-3638
  Module: github.com/refraction-networking/utls
    Found in: github.com/refraction-networking/utls@v1.6.7
    Fixed in: github.com/refraction-networking/utls@v1.7.0
    Example traces found:
      #1: pkg/runner/options.go:184:81: runner.ParseOptions calls update.GetToolVersionCallback, which eventually calls utls.UConn.Handshake
      #2: pkg/runner/options.go:184:81: runner.ParseOptions calls update.GetToolVersionCallback, which eventually calls utls.UConn.Read
      #3: pkg/runner/options.go:184:81: runner.ParseOptions calls update.GetToolVersionCallback, which eventually calls utls.UConn.Write

Vulnerability #2: GO-2025-3595
    Incorrect Neutralization of Input During Web Page Generation in x/net in
    golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3595
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.33.0
    Fixed in: golang.org/x/net@v0.38.0
    Example traces found:
      #1: pkg/runner/util.go:25:41: runner.preprocessDomain calls strings.NormalizeWithOptions, which eventually calls html.Tokenizer.Next

Vulnerability #3: GO-2024-2698
    Archiver Path Traversal vulnerability in github.com/mholt/archiver
  More info: https://pkg.go.dev/vuln/GO-2024-2698
  Module: github.com/mholt/archiver/v3
    Found in: github.com/mholt/archiver/v3@v3.5.1
    Fixed in: N/A
    Example traces found:
      #1: cmd/subfinder/main.go:7:2: subfinder.init calls gologger.init, which eventually calls archiver.init

Your code is affected by 3 vulnerabilities from 3 modules.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Run govulncheck on HEAD:

v2> git switch dev
Switched to branch 'dev'
Your branch is up to date with 'origin/dev'.
subfinder/v2> govulncheck ./cmd/subfinder/
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions