UbuntuUpdates.org

Package "golang-1.17"

Name: golang-1.17

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Go programming language - documentation

Latest version: 1.17.13-3ubuntu1.2
Release: jammy (22.04)
Level: updates
Repository: main

Links



Other versions of "golang-1.17" in Jammy

Repository Area Version
base main 1.17.3-1ubuntu2
base universe 1.17.3-1ubuntu2
security main 1.17.13-3ubuntu1.2
security universe 1.17.13-3ubuntu1.2
updates universe 1.17.13-3ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.17.13-3ubuntu1.2 2024-10-10 13:07:05 UTC

  golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24538.patch: html/template: disallow
      actions in JS template literals
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections. Thanks to Tang Xi from OpenEuler for the backport.
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - CVE-2023-24531
    - CVE-2023-24538
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39325
    - CVE-2024-24785
  * debian/patches/0007-backport-syscall-package-1.patch,
    debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.

 -- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100

Source diff to previous version
CVE-2023-24531 Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou
CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6,
CVE-2023-29402 The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses
CVE-2023-29403 On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case
CVE-2023-29404 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29405 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29406 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire
CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus
CVE-2023-39319 The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script
CVE-2023-39325 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total
CVE-2024-24785 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html

Version: 1.17.13-3ubuntu1 2022-11-23 05:07:20 UTC

  golang-1.17 (1.17.13-3ubuntu1) jammy; urgency=medium

  * Merge from Debian unstable (LP: #1990893). Remaining changes:
    - 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
      disable internal linking when dynamically linking and CGO_CFLAGS
      contains flags that might make host object files that the internal
      linkers ELF reader does not support. This fixes lots of package builds
      when LTO is enabled by default via dpkg-buildflags.
    - d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
      compressed.

 -- William 'jawn-smith' Wilson <email address hidden> Mon, 03 Oct 2022 14:33:32 -0500

1990893 Upgrade to 1.17.13



About   -   Send Feedback to @ubuntu_updates