UbuntuUpdates.org

Package "golang-1.18"

Name: golang-1.18

Description:

Go programming language compiler - metapackage

Latest version: 1.18.1-1ubuntu1~20.04.3
Release: focal (20.04)
Level: security
Repository: universe
Homepage: https://golang.org

Links


Download "golang-1.18"


Other versions of "golang-1.18" in Focal

Repository Area Version
updates universe 1.18.1-1ubuntu1~20.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.18.1-1ubuntu1~20.04.3 2024-11-14 14:07:23 UTC

  golang-1.18 (1.18.1-1ubuntu1~20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2022-41723.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
      usages of BytesOrPanic
    - debian/patches/CVE-2022-41725.patch: mime/multipart: limit
      memory/inode consumption of ReadForm
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
      mime message sizes
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
      file name in isCgo check
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2023-45288.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2023-45290.patch: net/textproto,
      mime/multipart: avoid unbounded read in MIME header
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
      key is non-nil before interface conversion
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/patches/CVE-2024-24790.patch: net/netip: check if address
      is v6 mapped in Is methods
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in
      nested element lists
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
      cases when checking ignore depth
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add
      parsing limits
    - CVE-2022-41723
    - CVE-2022-41724
    - CVE-2022-41725
    - CVE-2023-24531
    - CVE-2023-24536
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39323
    - CVE-2023-39325
    - CVE-2023-45288
    - CVE-2023-45290
    - CVE-2024-24783
    - CVE-2024-24784
    - CVE-2024-24785
    - CVE-2024-24789
    - CVE-2024-24790
    - CVE-2024-24791
    - CVE-2024-34155
    - CVE-2024-34156
    - CVE-2024-34158
  * debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.
  * debian/source/include-binaries:
    src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789

 -- Allen Huang <email address hidden> Thu, 07 Nov 2024 11:03:46 +0000

Source diff to previous version
CVE-2022-41723 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small
CVE-2022-41724 Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients
CVE-2022-41725 A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader
CVE-2023-24531 Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou
CVE-2023-24536 Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems fro
CVE-2023-29402 The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses
CVE-2023-29403 On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case
CVE-2023-29404 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29405 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29406 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire
CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus
CVE-2023-39319 The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script
CVE-2023-39323 Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed
CVE-2023-39325 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total
CVE-2023-45288 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining
CVE-2023-45290 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ
CVE-2024-24783 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects
CVE-2024-24784 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi
CVE-2024-24785 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html
CVE-2024-24789 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou
CVE-2024-24790 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which woul
CVE-2024-24791 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational
CVE-2024-34155 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202
CVE-2024-34158 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Version: 1.18.1-1ubuntu1~20.04.2 2023-04-25 14:07:14 UTC

  golang-1.18 (1.18.1-1ubuntu1~20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: http request smuggling issue
    - debian/patches/CVE-2022-1705.patch: don't strip whitespace from
      Transfer-Encoding headers
    - CVE-2022-1705
  * SECURITY UPDATE: DoS issue due to panic
    - debian/patches/CVE-2022-1962.patch: limit recursion depth
    - debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2
    - debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
      recursive
    - debian/patches/CVE-2022-30630.patch: fix stack exhaustion in Glob
    - debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
      Reader.Read
    - debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob
    - debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal
    - debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields
    - debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode
    - debian/patches/CVE-2022-41715.patch: limit size of parsed regexps
    - debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2
    - debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
      MIME header keys
    - CVE-2022-1962
    - CVE-2022-27664
    - CVE-2022-28131
    - CVE-2022-30630
    - CVE-2022-30631
    - CVE-2022-30632
    - CVE-2022-30633
    - CVE-2022-30635
    - CVE-2022-32189
    - CVE-2022-41715
    - CVE-2022-41717
    - CVE-2023-24534
  * SECURITY UPDATE: out-of-bound read issue
    - debian/patches/CVE-2022-2879.patch: limit size of headers
    - CVE-2022-2879
  * SECURITY UPDATE: query parameter smuggling issue in Go proxy
    - debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling
    - CVE-2022-2880
  * SECURITY UPDATE: Incorrect privilege assignment issue
    - debian/patches/CVE-2022-29526.patch: check correct group in Faccessat
    - CVE-2022-29526
  * SECURITY UPDATE: tls session takeover vulnerability
    - debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add
    - CVE-2022-30629
  * SECURITY UPDATE: sensitive information exposure
    - debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone
    - CVE-2022-32148
  * SECURITY UPDATE: integer overflow issue
    - debian/patches/CVE-2023-24537.patch: reject large line and column number
      in //line directives
    - CVE-2023-24537
  * SECURITY UPDATE: code injection vulnerability
    - debian/patches/CVE-2023-24538.patch: disallow actions in JS template
      literals
    - debian/patches/godebug_dep_test_error.patch: fix test dependency error
    - CVE-2023-24538

 -- Nishit Majithia <email address hidden> Mon, 24 Apr 2023 17:28:49 +0530

CVE-2022-1705 Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling i
CVE-2022-1962 Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion
CVE-2022-27664 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closin
CVE-2022-28131 Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi
CVE-2022-30630 Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which
CVE-2022-30631 Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion vi
CVE-2022-30632 Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a pat
CVE-2022-30633 Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via u
CVE-2022-30635 Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion
CVE-2022-32189 A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing
CVE-2022-41715 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp repr
CVE-2022-41717 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys
CVE-2023-24534 HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certai
CVE-2022-2879 Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of
CVE-2022-2880 Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http.
CVE-2022-29526 Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function co
CVE-2022-30629 Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshak
CVE-2022-32148 Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with
CVE-2023-24537 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to
CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6,



About   -   Send Feedback to @ubuntu_updates