Package "golang-1.17"
Name: |
golang-1.17
|
Description: |
This package is just an umbrella for a group of other packages,
it has no description. Description samples from packages in group:
- Go programming language - documentation
|
Latest version: |
1.17.13-3ubuntu1.2 |
Release: |
jammy (22.04) |
Level: |
updates |
Repository: |
main |
Links
Other versions of "golang-1.17" in Jammy
Packages in group
Deleted packages are displayed in grey.
Changelog
golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Code Injection, XSS, Denial of Service
- debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
outputs
- debian/patches/CVE-2023-24538.patch: html/template: disallow
actions in JS template literals
- debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
directories containing newlines
- debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
protections. Thanks to Tang Xi from OpenEuler for the backport.
- debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
non-optional arguments
- debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
_cgo_flags use one line per flag
- debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
_cgo_flags output
- debian/patches/CVE-2023-29406.patch: net/http: validate Host
header before sending
- debian/patches/CVE-2023-39318.patch: html/template: support
HTML-like comments in script contexts
- debian/patches/CVE-2023-39319.patch: html/template: properly
handle special tags within the script context
- debian/patches/CVE-2023-39325.patch: net/http: regenerate
h2_bundle.go
- debian/patches/CVE-2024-24785.patch: html/template: escape
additional tokens in MarshalJSON errors
- CVE-2023-24531
- CVE-2023-24538
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
- CVE-2023-29406
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39325
- CVE-2024-24785
* debian/patches/0007-backport-syscall-package-1.patch,
debian/patches/0008-backport-syscall-package-2.patch,
debian/patches/0009-backport-syscall-package-3.patch,
debian/patches/0010-backport-syscall-package-4.patch,
debian/patches/0011-backport-syscall-package-5.patch,
debian/patches/0012-backport-syscall-package-6.patch: backport
syscall pacakge for the fix for CVE-2023-29403 from upstream.
-- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100
|
Source diff to previous version |
CVE-2023-24531 |
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou |
CVE-2023-24538 |
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, |
CVE-2023-29402 |
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses |
CVE-2023-29403 |
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case |
CVE-2023-29404 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29405 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29406 |
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire |
CVE-2023-39318 |
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus |
CVE-2023-39319 |
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script |
CVE-2023-39325 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total |
CVE-2024-24785 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html |
|
golang-1.17 (1.17.13-3ubuntu1) jammy; urgency=medium
* Merge from Debian unstable (LP: #1990893). Remaining changes:
- 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
-- William 'jawn-smith' Wilson <email address hidden> Mon, 03 Oct 2022 14:33:32 -0500
|
|
About
-
Send Feedback to @ubuntu_updates