Hi!
This Go package vendors a version of libwebp which is vulnerable to CVE-2023-4863. Upstream released v1.3.2, but since you're still on the 1.2.x branch you might want to cherry-pick the fix from the 1.2.4 branch if it's easier than bumping to a new minor: https://github.com/webmproject/libwebp/tree/1.2.4 (webmproject/libwebp@8bacd63)
Once that's done could you tag a new version of this package so older versions can be marked as vulnerable?
Thank you!
Best,
Hi!
This Go package vendors a version of libwebp which is vulnerable to CVE-2023-4863. Upstream released v1.3.2, but since you're still on the 1.2.x branch you might want to cherry-pick the fix from the 1.2.4 branch if it's easier than bumping to a new minor: https://github.com/webmproject/libwebp/tree/1.2.4 (webmproject/libwebp@8bacd63)
Once that's done could you tag a new version of this package so older versions can be marked as vulnerable?
Thank you!
Best,