Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] - Update Go to 1.22.7 to Address encoding/gob Issue (GO-2024-3106) #96

Closed
DarkRockMountain-admin opened this issue Nov 14, 2024 · 0 comments · Fixed by #99
Closed

[SECURITY] - Update Go to 1.22.7 to Address encoding/gob Issue (GO-2024-3106) #96

DarkRockMountain-admin opened this issue Nov 14, 2024 · 0 comments · Fixed by #99
Assignees
@JRocabruna
Labels
bug Something isn't working security Issues related to improving security.

Comments

@DarkRockMountain-admin
Copy link
Collaborator

Describe the bug
The encoding/gob package in Go versions prior to 1.22.7 contains a vulnerability (GO-2024-3106) that can cause a panic due to stack exhaustion when Decoder.Decode processes messages with deeply nested structures. This issue is identified as CVE-2024-34156.

To Reproduce
Use Decoder.Decode to process a message with deeply nested structures, leading to a stack overflow and application crash.

Expected behavior
The application should handle nested structures gracefully without causing a stack overflow or panic.

Screenshots
N/A

Desktop (please complete the following information):

  • Go version: 1.22.5
  • OS: [Your Operating System]
  • Architecture: [Your System Architecture]

Additional context
Upgrading to Go version 1.22.7 or later addresses this vulnerability. It's recommended to update the go.mod file to require Go 1.22.7 and ensure all dependencies are compatible with this version. For more details, refer to the official Go vulnerability report: GO-2024-3106.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JRocabruna JRocabruna

Labels
bug Something isn't working security Issues related to improving security.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update Go to 1.22.7 to address gob vulnerability (GO-2024-3106) darkrockmountain/gomail
2 participants
@JRocabruna @DarkRockMountain-admin