Make repository self-contained #4
Labels
T:enhancement
Type: Enhancement
Comments
5 tasks
|
deleted all existing releases (via little bash script), we can switch to github actions later, step by step |
staheri14
added a commit
that referenced
this issue
Mar 11, 2024
In order to fix the go vulnerabilities that are fixed in the new patch: ``` Vulnerability #1: GO-2024-2610 Errors returned from JSON marshaling may break template escaping in html/template More info: https://pkg.go.dev/vuln/GO-2024-2610 Standard library Found in: html/[email protected] Fixed in: html/[email protected] Example traces found: #1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute #2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate Vulnerability #2: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/[email protected] Fixed in: net/[email protected] Example traces found: #1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get #3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get Vulnerability #3: GO-2024-2599 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/[email protected] Fixed in: net/[email protected] Example traces found: #1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadLine #2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability #4: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/[email protected] Fixed in: crypto/[email protected] Example traces found: #1: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Your code is affected by 4 vulnerabilities from the Go standard library. ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This tendermint fork was renamed and lives under a different organization. Some trivial changes are necessary to make this repository useable (and not still use the orig tendermint
github.com/lazyledger/lazyledger-core/*and deal with go.mod@marbar3778 has a branch with an (almost) working version of CI using github actions (see https://github.com/marbar3778/tendermint/pull/5/files). We should help fixing this as we are currently not using any CI.
Current configuration is using circleci, here:
https://github.com/LazyLedger/lazyledger-core/blob/da745371227f54aa90c609845cd4cc2f36a152f1/.circleci/config.yml#L1-L450
The text was updated successfully, but these errors were encountered: