Golang x/net: vuln: CVE-2023-39325, CVE-2023-39326, and CVE-2023-44487

govulncheck version

Devs, I'm dealing with a corporate vulnerability scanning tool, and trying to determine the specific version(s) of golang.org/x/net that fixes these issues: • CVE-2023-39326 • CVE-2023-44487

I already found that CVE-2023-39325 was fixed in x/net v0.17.0 per commit # b225e7c, but cannot find same for the two above. Any help?

(All three vulns pertain to http/2, so I presume all would be fixed in x/net.)

Does this issue reproduce at the latest version of golang.org/x/vuln?

N/A

Output of go env in your module/workspace:

(I don't have access to this info.)

What did you do?

Dealing with Anchore container scans, which is flagging our version of conmon.

What did you see happen?

Anchore flags conmon with these three vulns.

What did you expect to see?

We are patched for CVE-2023-39325 since our conmon is built using golang.org/x/net v0.19.0.

Looking for same level of detail (the specific commit) for these two: • CVE-2023-39326 • CVE-2023-44487

Comment From: gabyhelp

Related Issues

• net/http: CVE-2023-45289 affected versions #66696 (closed)
• x/tools: update golang.org/x/net dependency to v0.17.0 to patch CVE-2023-44487 and CVE-2023-39325 #63577 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: pcreager23

Neither of those "related issues" from @gabyhelp are relevant.

Comment From: seankhliao

Unlike many projects, the Go project does not use GitHub Issues for general discussion or asking questions. GitHub Issues are used for tracking bugs and proposals only.

For questions please refer to https://github.com/golang/go/wiki/Questions

Comment From: pcreager23

@seankhliao, I will check those links, but: Would this not be "tracking bugs"?