title: "x/vuln: issue title"
labels: ["vulncheck or vulndb"]
body:
  - type: markdown
    attributes:
      value: "Please answer these questions before submitting your issue. Thanks! To add a new vulnerability to the Go vulnerability database (https://vuln.go.dev), see https://go.dev/s/vulndb-report-new. To report an issue about a report, see https://go.dev/s/vulndb-report-feedback."
  - type: textarea

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: 1.21.9
          check-latest: true
      - name: Get official govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
        shell: bash
      - name: Run govulncheck
        run: govulncheck -show verbose ./...

outside of the safe formats, etc.) are not treated as vulnerabilities..

### Reporting process

Please use [Google Bug Hunters reporting form](https://g.co/vulnz) to report
security vulnerabilities. Please include the following information along with
your report:

  - A descriptive title
  - Your name and affiliation (if any).

 [bom]: https://docs.gradle.org/6.2/userguide/platforms.html#sub:bom_import
 [bouncy_castle_releases]: https://www.bouncycastle.org/releasenotes.html
 [CVE-2021-0341]: https://nvd.nist.gov/vuln/detail/CVE-2021-0341
 [CVE-2022-24329]: https://nvd.nist.gov/vuln/detail/CVE-2022-24329
 [dev_server]: https://github.com/square/okhttp/blob/482f88300f78c3419b04379fc26c3683c10d6a9d/samples/guide/src/main/java/okhttp3/recipes/kt/DevServer.kt

      fail<Any>("expected cleartext blocking")
    } catch (_: java.net.UnknownServiceException) {
    }
  }

  data class HowsMySslResults(
    val unknown_cipher_suite_supported: Boolean,
    val beast_vuln: Boolean,
    val session_ticket_supported: Boolean,
    val tls_compression_supported: Boolean,
    val ephemeral_keys_supported: Boolean,
    val rating: String,
    val tls_version: String,

	VLEIB	$15, $255, V0           // e70000fff040
	VLEIH	$7, $-32768, V15        // e7f080007041
	VLEIF	$2, $-43, V16           // e700ffd52843
	VLEIG	$1, $32767, V31         // e7f07fff1842
	VSLDB	$3, V1, V16, V18        // e72100030a77
	VERIMB	$2, V31, V1, V2         // e72f10020472
	VSEL	V1, V2, V3, V4          // e7412000308d
	VGFMAH	V21, V31, V24, V0       // e705f10087bc

  CVE-2021-29923 golang standard library "net" - Improper Input Validation of octal literals in golang 1.16.2 and below standard library "net" results in indeterminate SSRF & RFI vulnerabilities.
  Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-29923 ([#104368](https://github.com/kubernetes/kubernetes/pull/104368), [@aojea](https://github.com/aojea))

## Security

* TF is currently using giflib 5.2.1 which has [CVE-2022-28506](https://nvd.nist.gov/vuln/detail/CVE-2022-28506). TF is not affected by the CVE as it does not use `DumpScreen2RGB` at all.