Source: golang-github-sylabs-sif X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for golang-github-sylabs-sif. CVE-2021-29499[0]: | SIF is an open source implementation of the Singularity Container | Image Format. The `siftool new` command and func siftool.New() produce | predictable UUID identifiers due to insecure randomness in the version | of the `github.com/satori/go.uuid` module used as a dependency. A | patch is available in version >= v1.2.3 of the module. Users are | encouraged to upgrade. As a workaround, users passing CreateInfo | struct should ensure the `ID` field is generated using a version of | `github.com/satori/go.uuid` that is not vulnerable to this issue. https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29499 Please adjust the affected versions in the BTS as needed.
