UbuntuUpdates.org

Package "golang-1.21"

Name: golang-1.21

Description:

Go programming language compiler - metapackage
Latest version: 1.21.1-1~ubuntu20.04.3
Release: focal (20.04)
Level: security
Repository: universe
Homepage: https://go.dev/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "golang-1.21"

All arch deb package
APT INSTALL

Other versions of "golang-1.21" in Focal

Repository Area Version
updates universe 1.21.1-1~ubuntu20.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.21.1-1~ubuntu20.04.3 2024-07-09 15:07:09 UTC

  golang-1.21 (1.21.1-1~ubuntu20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2023-45288.patch: update bundled golang.org/x/net/http2
    - CVE-2023-45288
  * SECURITY UPDATE: leak sensitive information
    - debian/patches/CVE-2023-45289.patch: net/http, net/http/cookiejar:
      avoid subdomain matches on IPv6 zones
    - CVE-2023-45289
  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2023-45290.patch: net/textproto, mime/multipart:
      avoid unbounded read in MIME header
    - CVE-2023-45290
  * SECURITY UPDATE: panic on unknown public key algorithm
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub key
      is non-nil before interface conversion
    - CVE-2024-24783
  * SECURITY UPDATE: panic on handling special characters
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - CVE-2024-24784
  * SECURITY UPDATE: template injection issue
    - debian/patches/CVE-2024-24785.patch: html/template: escape additional
      tokens in MarshalJSON errors
    - CVE-2024-24785
  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/source/include-binaries: Add zip testdata file
    - CVE-2024-24789
  * SECURITY UPDATE: incorrect IPv4-mapped IPv6 addresses issue
    - debian/patches/CVE-2024-24790.patch: net/netip: check if address is
      v6 mapped in Is methods
    - CVE-2024-24790

 -- Nishit Majithia <email address hidden> Mon, 08 Jul 2024 17:38:50 +0530
Source diff to previous version
CVE-2023-45288 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining
CVE-2023-45289 When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sens
CVE-2023-45290 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ
CVE-2024-24783 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects
CVE-2024-24784 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi
CVE-2024-24785 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html
CVE-2024-24789 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou
CVE-2024-24790 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which woul

Version: 1.21.1-1~ubuntu20.04.2 2024-01-11 05:09:49 UTC

  golang-1.21 (1.21.1-1~ubuntu20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: bypass directives restrictions
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute file
      name in isCgo check
    - CVE-2023-39323
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-39325_44487.patch: http2: limit maximum
      handler goroutines to MaxConcurrentStreams
    - CVE-2023-39325
    - CVE-2023-44487
  * SECURITY UPDATE: out-of-bound read
    - debian/patches/CVE-2023-39326.patch: net/http: limit chunked data
      overhead
    - CVE-2023-39326
  * SECURITY UPDATE: bypass secure protocol
    - debian/patches/CVE-2023-45285.patch: error out if the requested repo
      does not support a secure protocol
    - CVE-2023-45285

 -- Nishit Majithia <email address hidden> Mon, 08 Jan 2024 11:39:58 +0530
CVE-2023-39323 Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed
CVE-2023-39325 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total
CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consum ...
CVE-2023-39326 A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network
CVE-2023-45285 Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via th


About   -   Send Feedback to @ubuntu_updates