Description of problem: https://bugzilla.redhat.com/show_bug.cgi?id=1633022 and https://github.com/heketi/heketi/issues/1372 Debian, Ubuntu, SUSE, and CentOS Storage SIG packages are all built from the vendor tarball. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
TL;DR CVE does not affect GD2. GD2 does not use the html.Parse() nor the golang.org/x/net/html package. And none of the other GD2 dependencies use html.Parse() or have a dependency on golang.org/x/net/html. The golang.org/x/net/html package is a part of a larger repository, that also contains the golang.org/x/net/context, which is a dependency of GD2 brought in by GRPC. The shipped GD2 binaries in the distro packages are not affected by the html.Parse() CVE. In any case, even if the net/html package were used by GD2, by default the Go build system strips out unused functions and methods from the built binary, html.Parse() would be stripped out because it is unused. The source tarball that contains the vendored source for golang.org/x/net/html, has the source file that has the CVE, but it is in no way exploitable as the source tarball doesn't have any executables that use html.Parse().
In any case, I've done a new GD2 release v4.1.1 [1], just to avoid the back and forth. I'll repeat it again, the built GD2 v4.1.0 binaries and packages are not affected by this CVE. [1]: https://github.com/gluster/glusterd2/releases/tag/v4.1.1