Package "golang-1.13"
Name: |
golang-1.13
|
Description: |
Go programming language compiler - metapackage
|
Latest version: |
1.13.8-1ubuntu1.2 |
Release: |
focal (20.04) |
Level: |
security |
Repository: |
main |
Homepage: |
https://golang.org |
Links
Download "golang-1.13"
Other versions of "golang-1.13" in Focal
Packages in group
Deleted packages are displayed in grey.
Changelog
golang-1.13 (1.13.8-1ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: http request smuggling issue
- debian/patches/CVE-2022-1705.patch: don't strip whitespace from
Transfer-Encoding headers.
- CVE-2022-1705
* SECURITY UPDATE: DoS issue due to panic
- debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2.
- debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
recursive.
- debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
Reader.Read.
- debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob.
- debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal.
- debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields.
- debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode.
- debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2.
- debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
MIME header keys.
- CVE-2022-27664
- CVE-2022-28131
- CVE-2022-30631
- CVE-2022-30632
- CVE-2022-30633
- CVE-2022-30635
- CVE-2022-32189
- CVE-2022-41717
- CVE-2023-24534
* SECURITY UPDATE: out-of-bound read issue
- debian/patches/CVE-2022-2879.patch: limit size of headers.
- debian/source/include-binaries: add test file bz2
pax-bad-hdr-large.tar.bz2.
- CVE-2022-2879
* SECURITY UPDATE: query parameter smuggling issue in Go proxy
- debian/patches/CVE-2022-2880-pre.patch: reject query values with
semicolons.
- debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling.
- CVE-2022-2880
* SECURITY UPDATE: tls session takeover vulnerability
- debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add.
- CVE-2022-30629
* SECURITY UPDATE: sensitive information exposure
- debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone.
- CVE-2022-32148
* SECURITY UPDATE: integer overflow issue
- debian/patches/CVE-2023-24537.patch: reject large line and column number
in //line directives.
- CVE-2023-24537
* SECURITY UPDATE: code injection vulnerability
- debian/patches/CVE-2023-24538.patch: disallow actions in JS template
literals.
- CVE-2023-24538
-- David Fernandez Gonzalez <email address hidden> Wed, 03 Jan 2024 12:35:19 +0100
|
Source diff to previous version |
CVE-2022-1705 |
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling i |
CVE-2022-27664 |
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closin |
CVE-2022-28131 |
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi |
CVE-2022-30631 |
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi |
CVE-2022-30632 |
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a pat |
CVE-2022-30633 |
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via u |
CVE-2022-30635 |
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion |
CVE-2022-32189 |
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing |
CVE-2022-41717 |
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys |
CVE-2023-24534 |
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certai |
CVE-2022-2879 |
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of |
CVE-2022-2880 |
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. |
CVE-2022-30629 |
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshak |
CVE-2022-32148 |
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with |
CVE-2023-24537 |
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to |
CVE-2023-24538 |
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, |
|
golang-1.13 (1.13.8-1ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: Infinite read loop via invalid inputs
- debian/patches/CVE-2020-16845.patch: ensure that ReadUvarint
reads a limited amount of data in src/encoding/binary/varint.go.
- CVE-2020-16845
-- David Fernandez Gonzalez <email address hidden> Wed, 09 Nov 2022 11:28:24 +0100
|
CVE-2020-16845 |
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. |
|
About
-
Send Feedback to @ubuntu_updates