Skip to content

CVE(s) found in v0.21.13 #1682

Description

@github-actions

Latest lifecycle release v0.21.13 triggered CVE(s) from Grype. For further details, see: https://github.com/buildpacks/lifecycle/actions/runs/29220594307 json: {
"id": "GO-2026-5856",
"severity": "Medium",
"description": "Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello."
}
{
"id": "GO-2026-5856",
"severity": "Medium",
"description": "Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello."
}
{
"id": "GO-2026-4970",
"severity": "High",
"description": "On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.\n\nFor example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root."
}
{
"id": "GO-2026-4970",
"severity": "High",
"description": "On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.\n\nFor example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root."
}
{
"id": "GO-2026-5932",
"severity": "Unknown",
"description": "The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used.\n\nIf you are required to interoperate with OpenPGP systems and need a maintained package, consider github.com/ProtonMail/go-crypto/openpgp which is a maintained fork that aims to be a drop-in replacement for this package."
}

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions