UbuntuUpdates.org

Package "golang-1.16"

Name: golang-1.16

Description:

Go programming language compiler - metapackage

Latest version: 1.16.2-0ubuntu1~20.04.1
Release: focal (20.04)
Level: updates
Repository: universe
Homepage: https://golang.org

Links


Download "golang-1.16"


Other versions of "golang-1.16" in Focal

Repository Area Version
security universe 1.16.2-0ubuntu1~20.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.16.2-0ubuntu1~20.04.1 2024-01-09 15:07:02 UTC

  golang-1.16 (1.16.2-0ubuntu1~20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: http request smuggling issue
    - debian/patches/CVE-2022-1705.patch: don't strip whitespace from
      Transfer-Encoding headers.
    - CVE-2022-1705
  * SECURITY UPDATE: DoS issue due to panic
    - debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2.
    - debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
      recursive.
    - debian/patches/CVE-2022-30630.patch: fix stack exhaustion in Glob.
    - debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
      Reader.Read.
    - debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob.
    - debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal.
    - debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields.
    - debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode.
    - debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2.
    - debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
      MIME header keys.
    - CVE-2022-27664
    - CVE-2022-28131
    - CVE-2022-30630
    - CVE-2022-30631
    - CVE-2022-30632
    - CVE-2022-30633
    - CVE-2022-30635
    - CVE-2022-32189
    - CVE-2022-41717
    - CVE-2023-24534
  * SECURITY UPDATE: out-of-bound read issue
    - debian/patches/CVE-2022-2879.patch: limit size of headers.
    - debian/source/include-binaries: add test file bz2
      pax-bad-hdr-large.tar.bz2.
    - CVE-2022-2879
  * SECURITY UPDATE: query parameter smuggling issue in Go proxy
    - debian/patches/CVE-2022-2880-pre.patch: reject query values with
      semicolons.
    - debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling.
    - CVE-2022-2880
  * SECURITY UPDATE: Incorrect privilege assignment issue
    - debian/patches/CVE-2022-29526.patch: check correct group in Faccessat.
    - CVE-2022-29526
  * SECURITY UPDATE: tls session takeover vulnerability
    - debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add.
    - CVE-2022-30629
  * SECURITY UPDATE: sensitive information exposure
    - debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone.
    - CVE-2022-32148
  * SECURITY UPDATE: integer overflow issue
    - debian/patches/CVE-2023-24537.patch: reject large line and column number
      in //line directives.
    - CVE-2023-24537
  * SECURITY UPDATE: code injection vulnerability
    - debian/patches/CVE-2023-24538.patch: disallow actions in JS template
      literals.
    - CVE-2023-24538

 -- David Fernandez Gonzalez <email address hidden> Tue, 05 Dec 2023 16:26:08 +0100

Source diff to previous version
CVE-2022-1705 Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling i
CVE-2022-27664 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closin
CVE-2022-28131 Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi
CVE-2022-30630 Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which
CVE-2022-30631 Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi
CVE-2022-30632 Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a pat
CVE-2022-30633 Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via u
CVE-2022-30635 Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion
CVE-2022-32189 A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing
CVE-2022-41717 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys
CVE-2023-24534 HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certai
CVE-2022-2879 Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of
CVE-2022-2880 Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http.
CVE-2022-29526 Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function co
CVE-2022-30629 Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshak
CVE-2022-32148 Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with
CVE-2023-24537 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to
CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6,

Version: 1.16.2-0ubuntu1~20.04 2021-06-07 17:06:44 UTC

  golang-1.16 (1.16.2-0ubuntu1~20.04) focal; urgency=medium

  * Backport to focal (LP: #1929038)

 -- Didier Roche <email address hidden> Mon, 10 May 2021 13:41:08 +0200

1929038 [SRU] Backport to 20.04 LTS



About   -   Send Feedback to @ubuntu_updates