Package "golang-1.22-src"
| Name: |
golang-1.22-src
|
Description: |
Go programming language - source files
|
| Latest version: |
1.22.2-2ubuntu0.4 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
golang-1.22 |
| Homepage: |
https://go.dev/ |
Links
Download "golang-1.22-src"
Other versions of "golang-1.22-src" in Noble
Changelog
|
golang-1.22 (1.22.2-2ubuntu0.4) noble-security; urgency=medium
* SECURITY UPDATE: leak sensitive headers when handling redirect
requests.
- debian/patches/CVE-2024-45336.patch: net/http: persist header
stripping across repeated redirects.
- CVE-2024-45336
* SECURITY UPDATE: IPv6 zone IDs can bypass URI name constraints.
- debian/patches/CVE-2024-45341.patch: crypto/x509: properly
check for IPv6 hosts in URIs.
- CVE-2024-45341
* SECURITY UPDATE: information bit leak on ppc64le architecture.
- debian/patches/CVE-2025-22866.patch: crypto/internal/fips140/nistec:
make p256NegCond constant time on ppc64le.
- CVE-2025-22866
* SECURITY UPDATE: denial of service issue by improperly treating an IPv6
zone ID as a hostname component.
- debian/patches/CVE-2025-22870.patch: http/httpproxy: do not mismatch
IPv6 zone ids against hosts.
- CVE-2025-22870
* SECURITY UPDATE: leak sensitive information on redirects outside of
the original domain.
- debian/patches/CVE-2025-4673.patch: net/http: strip sensitive proxy
headers from redirect requests.
- CVE-2025-4673
* BUILD UPDATE: tls certificate expired during building and testing.
- debian/patches/fix-config-time-tests-using-expired-certs.patch:
crypto/tls: fix Config.Time in tests using expired certificates.
-- Evan Caville <email address hidden> Tue, 17 Jun 2025 14:16:56 +1000
|
| Source diff to previous version |
| CVE-2024-45336 |
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header |
| CVE-2024-45341 |
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. |
| CVE-2025-22866 |
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are |
| CVE-2025-22870 |
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment var |
| CVE-2025-4673 |
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. |
|
|
golang-1.22 (1.22.2-2ubuntu0.3) noble-security; urgency=medium
* SECURITY UPDATE: denial of service issue when handling
âExpect: 100-continueâ headers
- debian/patches/CVE-2024-24791.patch: net/http: send body or close
connection on expect-100-continue requests.
- CVE-2024-24791
* SECURITY UPDATE: denial of service issue when calling any Parse functions
from stack exhaustion
- debian/patches/CVE-2024-34155.patch: go/parser: track depth in nested
element lists.
- CVE-2024-34155
* SECURITY UPDATE: denial of service issue when decoding a message from
stack exhaustion
- debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed cases
when checking ignore depth.
- CVE-2024-34156
* SECURITY UPDATE: denial of service issue when calling Parse on certain
build tags from stack exhaustion
- debian/patches/CVE-2024-34158.patch: go/build/constraint: add parsing
limits.
- CVE-2024-34158
-- Evan Caville <email address hidden> Fri, 18 Oct 2024 10:25:58 +1100
|
| Source diff to previous version |
| CVE-2024-24791 |
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational |
| CVE-2024-34155 |
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. |
| CVE-2024-34156 |
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202 |
| CVE-2024-34158 |
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. |
|
|
golang-1.22 (1.22.2-2ubuntu0.2) noble-proposed; urgency=medium
* SRU: LP: #2076340: No-change rebuild to pick up changed build flags
on ppc64 and s390x.
-- Matthias Klose <email address hidden> Fri, 09 Aug 2024 04:33:22 +0200
|
| Source diff to previous version |
|
golang-1.22 (1.22.2-2ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2024-24788.patch: net: check SkipAdditional error
result
- CVE-2024-24788
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
EOCDR comment as an error
- debian/source/include-binaries: Add zip testdata file
- CVE-2024-24789
* SECURITY UPDATE: incorrect IPv4-mapped IPv6 addresses issue
- debian/patches/CVE-2024-24790.patch: net/netip: check if address is
v6 mapped in Is methods
- CVE-2024-24790
-- Nishit Majithia <email address hidden> Mon, 08 Jul 2024 17:42:31 +0530
|
| CVE-2024-24788 |
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. |
| CVE-2024-24789 |
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou |
| CVE-2024-24790 |
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which woul |
|
About
-
Send Feedback to @ubuntu_updates
