data/reports: update GO-2024-3312

- data/reports/GO-2024-3312.yaml Updates #3312 Updates #3317 Change-Id: Iad811cea7386d8ffce93d299e79a0c29ac69924e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635277 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]>
golang · Dec 11, 2024 · 4df5249 · 4df5249
1 parent 5664d52
commit 4df5249
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 14 deletions.
diff --git a/data/osv/GO-2024-3312.json b/data/osv/GO-2024-3312.json
@@ -4,10 +4,11 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2024-6156"
+    "CVE-2024-6156",
+    "GHSA-4c49-9fpc-hc3v"
   ],
-  "summary": "CVE-2024-6156 in github.com/canonical/lxd",
-  "details": "CVE-2024-6156 in github.com/canonical/lxd.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/canonical/lxd before v5.21.2.",
+  "summary": "CA certificate sign check bypass in github.com/canonical/lxd",
+  "details": "CA certificate sign check bypass in github.com/canonical/lxd",
   "affected": [
     {
       "package": {
@@ -20,11 +21,22 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20240708073652-5a492a3f0036"
             }
           ]
         }
       ],
       "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/canonical/lxd/lxd",
+            "symbols": [
+              "allowProjectResourceList"
+            ]
+          }
+        ],
         "custom_ranges": [
           {
             "type": "ECOSYSTEM",
@@ -44,15 +56,20 @@
   "references": [
     {
       "type": "ADVISORY",
-      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6156"
+      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v"
+      "type": "FIX",
+      "url": "https://github.com/canonical/lxd/commit/92468bb60f4f1edf38ff0434414bea4f28afa711"
+    }
+  ],
+  "credits": [
+    {
+      "name": "@markylaing"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3312",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3312.yaml b/data/reports/GO-2024-3312.yaml
@@ -1,16 +1,26 @@
 id: GO-2024-3312
 modules:
     - module: github.com/canonical/lxd
+      versions:
+        - fixed: 0.0.0-20240708073652-5a492a3f0036
       non_go_versions:
         - fixed: 5.21.2
-      vulnerable_at: 0.0.0-20241209155119-76da976c6ee7
-summary: CVE-2024-6156 in github.com/canonical/lxd
+      vulnerable_at: 0.0.0-20240705103458-cba65fb6bb93
+      packages:
+        - package: github.com/canonical/lxd/lxd
+          symbols:
+            - allowProjectResourceList
+summary: CA certificate sign check bypass in github.com/canonical/lxd
 cves:
     - CVE-2024-6156
+ghsas:
+    - GHSA-4c49-9fpc-hc3v
+credits:
+    - '@markylaing'
 references:
-    - advisory: https://www.cve.org/CVERecord?id=CVE-2024-6156
-    - web: https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v
+    - advisory: https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v
+    - fix: https://github.com/canonical/lxd/commit/92468bb60f4f1edf38ff0434414bea4f28afa711
 source:
-    id: CVE-2024-6156
-    created: 2024-12-09T18:00:39.790548961Z
-review_status: UNREVIEWED
+    id: GHSA-4c49-9fpc-hc3v
+    created: 2024-12-11T10:56:32.527785-05:00
+review_status: REVIEWED