GHSA-gmq2-39ff-f5qg: 
vulnerability analysis and mitigation

A low severity vulnerability (GHSA-gmq2-39ff-f5qg) was discovered in the cloudflare/tableflip Go module affecting versions below 1.2.1. The vulnerability was published on February 1, 2021, and involves hung goroutines in the parent process after a failed upgrade (GitHub Advisory).

The vulnerability stems from the Go runtime's behavior regarding ONONBLOCK flags. When exec.Cmd.Start() calls os.File.Fd() for files in exec.Cmd.ExtraFiles, it disables the runtime poller and clears ONONBLOCK from the underlying open file descriptor. This behavior affects goroutines that depend on either deadlines or Close() interruptions, causing them to become stuck in read or accept syscalls (GitHub Advisory).

The primary impact is that processes using tableflip may experience hung goroutines in the parent process following a failed upgrade attempt. However, the issue has been noted as rare, with no reported occurrences in production environments (GitHub Advisory).

The vulnerability has been patched in version 1.2.2 of the tableflip module. No alternative workarounds are available, making upgrading to the patched version the only solution (GitHub Advisory).