jcarmona
May 30, 2023, 11:11am
1
Hi! I have recently downloaded the latest Rclone release (1.62.2 ) and analysed it with Trivy (a security and vulnerability scanner). The result shows several vulnerabilities:
$ wget https://github.com/rclone/rclone/releases/download/v1.62.2/rclone-v1.62.2-linux-amd64.zip
$ unzip rclone-v1.62.2-linux-amd64.zip && cd rclone-v1.62.2-linux-amd64/
$ trivy rootfs .
2023-05-30T11:06:06.212Z INFO Vulnerability scanning is enabled
2023-05-30T11:06:06.212Z INFO Secret scanning is enabled
2023-05-30T11:06:06.212Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-30T11:06:06.212Z INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-30T11:06:08.945Z INFO Number of language-specific files: 1
2023-05-30T11:06:08.945Z INFO Detecting gobinary vulnerabilities...
rclone (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
βββββββββββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββ¬ββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Library β Vulnerability β Severity β Installed Version β Fixed Version β Title β
βββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββΌββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β github.com/aws/aws-sdk-go β CVE-2020-8911 β MEDIUM β v1.44.218 β β aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto β
β β β β β β SDK for golang... β
β β β β β β https://avd.aquasec.com/nvd/cve-2020-8911 β
β βββββββββββββββββΌβββββββββββ€ βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β CVE-2020-8912 β LOW β β β aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto β
β β β β β β SDK for golang... β
β β β β β β https://avd.aquasec.com/nvd/cve-2020-8912 β
βββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββΌββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β github.com/cloudflare/circl β CVE-2023-1732 β MEDIUM β v1.1.0 β 1.3.3 β Improper random reading in CIRCL β
β β β β β β https://avd.aquasec.com/nvd/cve-2023-1732 β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββ΄ββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?
Thanks in advance!
rclone is using Dependabot Β· GitHub
It means that when dependency new version is released it is automatically updated.
For example for circl you can see that it will be included in the next release:
rclone:master β rclone:dependabot/go_modules/github.com/cloudflare/circl-1.3.3
opened 08:42PM - 11 May 23 UTC
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.β¦ 1.0 to 1.3.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/cloudflare/circl/releases">github.com/cloudflare/circl's releases</a>.</em></p>
<blockquote>
<h2>CIRCL v1.3.3</h2>
<h2>New Features</h2>
<ul>
<li><a href="https://ascon.iaik.tugraz.at/">ASCON</a> light-weight authenticated encryption.</li>
<li>Hybrid KEM for HPKE based on Kyber and X25519.</li>
<li>CIRCL can be compiled both as static and dynamic linking modes.</li>
</ul>
<h2>Security</h2>
<ul>
<li>Fixes error-handling on rand readers.</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Use untyped consts for Kyber params by <a href="https://github.com/tmthrgd"><code>@βtmthrgd</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/398">cloudflare/circl#398</a></li>
<li>zk/dl: adds prefixed labels and updates nomenclature. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/396">cloudflare/circl#396</a></li>
<li>Bumping Go version. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/399">cloudflare/circl#399</a></li>
<li>kem: add P-256 + Kyber768Draft00 hybrid by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/402">cloudflare/circl#402</a></li>
<li>ckem: pass xof to elliptic.GenerateKey directly by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/403">cloudflare/circl#403</a></li>
<li>Adding Ascon, an AEAD lightweight cipher. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/400">cloudflare/circl#400</a></li>
<li>Add Ascon-80pq to cipher\ascon by <a href="https://github.com/dhcgn"><code>@βdhcgn</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/404">cloudflare/circl#404</a></li>
<li>ascon: update formulas and check for API compatibility by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/406">cloudflare/circl#406</a></li>
<li>all: enables dynamic linking, removes R15 is clobbered by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/407">cloudflare/circl#407</a></li>
<li>ascon: Removes table of constants. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/408">cloudflare/circl#408</a></li>
<li>tkn20: prevent panics on key gen errors by <a href="https://github.com/tmthrgd"><code>@βtmthrgd</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/409">cloudflare/circl#409</a></li>
<li>expander,tkn20: remove superfluous Reset calls by <a href="https://github.com/tmthrgd"><code>@βtmthrgd</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/410">cloudflare/circl#410</a></li>
<li>Updating stdlib crypto library. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/413">cloudflare/circl#413</a></li>
<li>Reduce x/crypto and x/sys versions to match Go 1.20 by <a href="https://github.com/Lekensteyn"><code>@βLekensteyn</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/414">cloudflare/circl#414</a></li>
<li>Make ascon cipher go routine safe by <a href="https://github.com/enj"><code>@βenj</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/416">cloudflare/circl#416</a></li>
<li>tkn20,kyber,x25519,x448: plug constant-time leaks by <a href="https://github.com/tmthrgd"><code>@βtmthrgd</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/411">cloudflare/circl#411</a></li>
<li>Check for crypto/rand errors and ReadFull io.Readers by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/417">cloudflare/circl#417</a></li>
<li>Fix encapsulation seed size by <a href="https://github.com/chris-wood"><code>@βchris-wood</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/419">cloudflare/circl#419</a></li>
<li>Add X25519Kyber768Draft00 experimental HPKE KEM by <a href="https://github.com/chris-wood"><code>@βchris-wood</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/421">cloudflare/circl#421</a></li>
<li>hpke: Adding NonceSize function to AEAD. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/424">cloudflare/circl#424</a></li>
<li>hpke: Address always nil parameter. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/425">cloudflare/circl#425</a></li>
<li>hpke: update and move xyber768d00 test vectors by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/426">cloudflare/circl#426</a></li>
<li>hpke: fix encapsulation seed in test for xyber by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/428">cloudflare/circl#428</a></li>
<li>Remove scalar sha3 amd64 assembly by <a href="https://github.com/bwesterb"><code>@βbwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/429">cloudflare/circl#429</a></li>
<li>Add HPKE benchmarks by <a href="https://github.com/chris-wood"><code>@βchris-wood</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/434">cloudflare/circl#434</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/tmthrgd"><code>@βtmthrgd</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/398">cloudflare/circl#398</a></li>
<li><a href="https://github.com/dhcgn"><code>@βdhcgn</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/404">cloudflare/circl#404</a></li>
<li><a href="https://github.com/Lekensteyn"><code>@βLekensteyn</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/414">cloudflare/circl#414</a></li>
<li><a href="https://github.com/enj"><code>@βenj</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/416">cloudflare/circl#416</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/cloudflare/circl/compare/v1.3.2...v1.3.3">https://github.com/cloudflare/circl/compare/v1.3.2...v1.3.3</a></p>
<h2>CIRCL v1.3.2</h2>
<h2>What's Changed</h2>
<ul>
<li>oprf: Updating test vectors for VOPRF rc-rfc. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/388">cloudflare/circl#388</a></li>
<li>abe: Make golden files for cpabe. by <a href="https://github.com/armfazh"><code>@βarmfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/392">cloudflare/circl#392</a></li>
<li>abe: Improve test clarity by <a href="https://github.com/tanyav2"><code>@βtanyav2</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/393">cloudflare/circl#393</a></li>
<li>tkn20: change seed size for MAC key from 128->448 bits in accordance β¦ by <a href="https://github.com/tanyav2"><code>@βtanyav2</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/394">cloudflare/circl#394</a></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/cloudflare/circl/commit/3bef500f2b925f150815a360b90081021e082939"><code>3bef500</code></a> Releasing CIRCL v1.3.3</li>
<li><a href="https://github.com/cloudflare/circl/commit/4002bafcebdd3b32974f70cf86a4682f82d9b3b5"><code>4002baf</code></a> Add HPKE benchmarks</li>
<li><a href="https://github.com/cloudflare/circl/commit/795540340d5c79e5768a0135741cd7c3e5f7de93"><code>7955403</code></a> Remove scalar sha3 amd64 assembly</li>
<li><a href="https://github.com/cloudflare/circl/commit/aef72508ab9bf35177e84ae23f94170f4546b63e"><code>aef7250</code></a> hpke: fix encapsulation seed in test for xyber</li>
<li><a href="https://github.com/cloudflare/circl/commit/808526a555262691f406ceed2ac1e4e7421faf96"><code>808526a</code></a> hpke: update and move xyber768d00 test vectors</li>
<li><a href="https://github.com/cloudflare/circl/commit/c7845aa1035e0b2d0397663e0adc283fd16af50a"><code>c7845aa</code></a> Address always nil parameter.</li>
<li><a href="https://github.com/cloudflare/circl/commit/2475a3f4a6255da8795b2a8f0ec7e71e3ee6d37e"><code>2475a3f</code></a> Adding NonceSize function to AEAD.</li>
<li><a href="https://github.com/cloudflare/circl/commit/eaec71f4cccf05035481b034b8ce9dc8755118ec"><code>eaec71f</code></a> Add X25519Kyber768Draft00 experimental HPKE KEM</li>
<li><a href="https://github.com/cloudflare/circl/commit/f0db2881a9618356223ed31090cdb33feb1e6d23"><code>f0db288</code></a> Fix encapsulation seed size</li>
<li><a href="https://github.com/cloudflare/circl/commit/f4c0e87526ec17305e8a573f1c58acedc5539a92"><code>f4c0e87</code></a> Update go-ristretto dep</li>
<li>Additional commits viewable in <a href="https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rclone/rclone/network/alerts).
</details>
1 Like
system
July 30, 2023, 7:53am
3
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.