[GH-ISSUE #8724] Govulncheck highlights known CVEs in released binaries #5658

Open
opened 2026-04-12 16:57:18 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @blgm on GitHub (Jan 31, 2025).
Original GitHub issue: https://github.com/ollama/ollama/issues/8724

From extracting ollama-0.5.7-linux-amd64.tgz:

$ govulncheck -mode=binary bin/ollama

Highlights GO-2025-3420 and GO-2025-3373 as exploitable, and which could be resolved by simply using the latest patch of the Go compiler (1.23.5). Running govulncheck on the latest source reports the same vulnerabilities as exploitable.

This report is very similar to https://github.com/ollama/ollama/issues/7355, and the fix would be something like https://github.com/ollama/ollama/pull/7379.

I haven't done a PR myself as unfortunately I'm not yet in a position to contribute, or test contributions to this project yet.

I'm not doing a private security report on the basis that these CVEs are already public and discoverable using standard tools, but if this was the wrong call please to let me know for next time.

Originally created by @blgm on GitHub (Jan 31, 2025). Original GitHub issue: https://github.com/ollama/ollama/issues/8724 From extracting `ollama-0.5.7-linux-amd64.tgz`: ``` $ govulncheck -mode=binary bin/ollama ``` Highlights [GO-2025-3420](https://pkg.go.dev/vuln/GO-2025-3420) and [GO-2025-3373](https://pkg.go.dev/vuln/GO-2025-3373) as exploitable, and which could be resolved by simply using the latest patch of the Go compiler (1.23.5). Running `govulncheck` on the latest source reports the same vulnerabilities as exploitable. This report is very similar to https://github.com/ollama/ollama/issues/7355, and the fix would be something like https://github.com/ollama/ollama/pull/7379. I haven't done a PR myself as unfortunately I'm not yet in a position to contribute, or test contributions to this project yet. I'm not doing a private security report on the basis that these CVEs are already public and discoverable using standard tools, but if this was the wrong call please to let me know for next time.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#5658