Package "golang-1.20"
Name: |
golang-1.20
|
Description: |
Go programming language compiler - metapackage
|
Latest version: |
1.20.3-1ubuntu0.2 |
Release: |
lunar (23.04) |
Level: |
security |
Repository: |
main |
Homepage: |
https://go.dev/ |
Links
Download "golang-1.20"
Other versions of "golang-1.20" in Lunar
Packages in group
Deleted packages are displayed in grey.
Changelog
golang-1.20 (1.20.3-1ubuntu0.2) lunar-security; urgency=medium
* SECURITY UPDATE: XSS issue
- debian/patches/CVE-2023-39318.patch: support HTML-like comments in
script contexts
- debian/patches/CVE-2023-39319.patch: roperly handle special tags
within the script context
- CVE-2023-39318
- CVE-2023-39319
* SECURITY UPDATE: bypass directives restrictions
- debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute file
name in isCgo check
- CVE-2023-39323
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-39325_44487.patch: http2: limit maximum
handler goroutines to MaxConcurrentStreams
- CVE-2023-39325
- CVE-2023-44487
* SECURITY UPDATE: out-of-bound read
- debian/patches/CVE-2023-39326.patch: net/http: limit chunked data
overhead
- CVE-2023-39326
* SECURITY UPDATE: bypass secure protocol
- debian/patches/CVE-2023-45285.patch: error out if the requested repo
does not support a secure protocol
- CVE-2023-45285
-- Nishit Majithia <email address hidden> Wed, 10 Jan 2024 11:58:24 +0530
|
Source diff to previous version |
CVE-2023-39318 |
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus |
CVE-2023-39319 |
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script |
CVE-2023-39323 |
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed |
CVE-2023-39325 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total |
CVE-2023-44487 |
The HTTP/2 protocol allows a denial of service (server resource consum ... |
CVE-2023-39326 |
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network |
CVE-2023-45285 |
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via th |
|
golang-1.20 (1.20.3-1ubuntu0.1) lunar-security; urgency=medium
* SECURITY UPDATE: html injection vulnerability
- debian/patches/CVE-2023-24539.patch: disallow angle brackets in CSS
values
- debian/patches/CVE-2023-29400.patch: emit filterFailsafe for empty
unquoted attr value
- CVE-2023-24539
- CVE-2023-29400
* SECURITY UPDATE: javascript injection vulnerability
- debian/patches/CVE-2023-24540.patch: handle all JS whitespace
characters
- CVE-2023-24540
-- Nishit Majithia <email address hidden> Wed, 31 May 2023 17:28:05 +0530
|
CVE-2023-24539 |
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' |
CVE-2023-29400 |
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results w |
CVE-2023-24540 |
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character s |
|
About
-
Send Feedback to @ubuntu_updates