HIGH 8.3
GHSA-fpg8-7664-jc5q
melange: Incomplete package integrity verification allows data section substitution
Details
Previously, Apko verified the control section hash (`.PKGINFO` etc.) against the signed `APKINDEX`, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / chainguard.dev/melange
Introduced in:
0 Fixed in: 0.50.4 Fix
go get chainguard.dev/melange@v0.50.4