Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/hashicorp/yamux: GHSA-29qp-crvh-w22m #3430

Closed
GoVulnBot opened this issue Jan 29, 2025 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/hashicorp/yamux: GHSA-29qp-crvh-w22m #3430

GoVulnBot opened this issue Jan 29, 2025 · 1 comment
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-29qp-crvh-w22m references a vulnerability in the following Go modules:

Module
github.com/hashicorp/yamux

Description:
The default values for Session.config.KeepAliveInterval and Session.config.ConnectionWriteTimeout of 30s and 10s create the possibility for timed out writes that most aren't handling in their readers.

Calls to Stream.Read on one side of a connection will hang until the underlying Session is closed if the corresponding Stream.Write call on the other side it's waiting for returns with ErrConnectionWriteTimeout. This happens in the case of network congestion between the two sides.

If you keep Session.sendCh full (fixed capacity of 64) for ConnectionWriteTimeout, but for less than the KeepAliveI...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/yamux
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 0.1.0, <= 0.1.2")
      vulnerable_at: 0.1.2
summary: |-
    github.com/hashicorp/yamux's DefaultConfig has dangerous defaults causing hung
    Read in github.com/hashicorp/yamux
ghsas:
    - GHSA-29qp-crvh-w22m
references:
    - advisory: https://github.com/advisories/GHSA-29qp-crvh-w22m
    - fix: https://github.com/hashicorp/yamux/pull/143
    - report: https://github.com/golang/vulndb/issues/3408
    - report: https://github.com/hashicorp/yamux/issues/142
source:
    id: GHSA-29qp-crvh-w22m
    created: 2025-01-29T20:01:27.54291827Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

tatianab commented Feb 6, 2025

Withdrawn report.

@tatianab tatianab closed this as completed Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot