mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-01-29 21:39:23 +00:00
14039c9089
In order to fix: ``` === Running govulncheck on containerd-shim-kata-v2 === Vulnerabilities found in containerd-shim-kata-v2: === Symbol Results === Vulnerability #1: GO-2025-4015 Excessive CPU consumption in Reader.ReadResponse in net/textproto More info: https://pkg.go.dev/vuln/GO-2025-4015 Standard library Found in: net/textproto@go1.24.6 Fixed in: net/textproto@go1.24.8 Vulnerable symbols found: #1: textproto.Reader.ReadResponse Vulnerability #2: GO-2025-4014 Unbounded allocation when parsing GNU sparse map in archive/tar More info: https://pkg.go.dev/vuln/GO-2025-4014 Standard library Found in: archive/tar@go1.24.6 Fixed in: archive/tar@go1.24.8 Vulnerable symbols found: #1: tar.Reader.Next Vulnerability #3: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Vulnerable symbols found: #1: x509.Certificate.Verify #2: x509.Certificate.Verify Vulnerability #4: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Vulnerable symbols found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm Use '-show traces' to see the other 9 found symbols Vulnerability #5: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Vulnerable symbols found: #1: asn1.Unmarshal #2: asn1.UnmarshalWithParams Vulnerability #6: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Vulnerable symbols found: #1: url.JoinPath #2: url.Parse #3: url.ParseRequestURI #4: url.URL.Parse #5: url.URL.UnmarshalBinary Vulnerability #7: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Vulnerable symbols found: #1: pem.Decode Vulnerability #8: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial Use '-show traces' to see the other 4 found symbols Vulnerability #9: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Vulnerable symbols found: #1: x509.CertPool.AppendCertsFromPEM #2: x509.Certificate.CheckCRLSignature #3: x509.Certificate.CheckSignature #4: x509.Certificate.CheckSignatureFrom #5: x509.Certificate.CreateCRL Use '-show traces' to see the other 27 found symbols Vulnerability #10: GO-2025-4006 Excessive CPU consumption in ParseAddress in net/mail More info: https://pkg.go.dev/vuln/GO-2025-4006 Standard library Found in: net/mail@go1.24.6 Fixed in: net/mail@go1.24.8 Vulnerable symbols found: #1: mail.AddressParser.Parse #2: mail.AddressParser.ParseList #3: mail.Header.AddressList #4: mail.ParseAddress #5: mail.ParseAddressList ``` Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>