This repository has been archived by the owner on Nov 19, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 390
CVE-2024-0406 Archiver Path Traversal vulnerability #404
Labels
v3-deprecated
v3 (no longer developed)
Comments
that's only if using 3.5.1, 3.5.2 is good GHSA-rhh4-rh7c-7r5v |
But 3.5.2 is not released yet, it is only available in a fork |
DennisRasey
pushed a commit
to DennisRasey/forgejo
that referenced
this issue
Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by CVE-2024-0406. Use a mirror of the repository to do that. Refs: mholt/archiver#404
DennisRasey
pushed a commit
to DennisRasey/forgejo
that referenced
this issue
Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by CVE-2024-0406. Use a mirror of the repository to do that. Refs: mholt/archiver#404 (cherry picked from commit 3bfec27) Conflicts: go.sum trivial context conflict
DennisRasey
pushed a commit
to DennisRasey/forgejo
that referenced
this issue
Jun 6, 2024
It is not possible to tell vulncheck that Forgejo is not affected by CVE-2024-0406. Use a mirror of the repository to do that. Refs: mholt/archiver#404 (cherry picked from commit 3bfec27) Conflicts: go.sum trivial context conflict
@mholt Any chance to publish a |
@mholt I am also looking for the fix of this CVE. Any chance we are going to publish |
I'd also like to see a release of this. Our build is failing with |
@mholt Just checking in again to know if you plan to release the CVE-free version soon. |
@mholt Just rechecking if we will get CVE-free version any time soon? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://pkg.go.dev/vuln/GO-2024-2698 was published today and makes https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck fail.
The text was updated successfully, but these errors were encountered: