UbuntuUpdates.org

Package "golang-1.17-doc"

Name: golang-1.17-doc

Description:

Go programming language - documentation
Latest version: 1.17.13-3ubuntu1.3
Release: jammy (22.04)
Level: security
Repository: main
Head package: golang-1.17
Homepage: https://go.dev/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "golang-1.17-doc"

All arch deb package
APT INSTALL

Other versions of "golang-1.17-doc" in Jammy

Repository Area Version
base main 1.17.3-1ubuntu2
updates main 1.17.13-3ubuntu1.3

Changelog

Version: 1.17.13-3ubuntu1.3 2024-11-14 20:06:51 UTC

  golang-1.17 (1.17.13-3ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection and Denial of Service
    - debian/patches/CVE-2022-41723.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
      usages of BytesOrPanic
    - debian/patches/CVE-2022-41725.patch: mime/multipart: limit
      memory/inode consumption of ReadForm
    - debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
      mime message sizes
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
      file name in isCgo check
    - debian/patches/CVE-2023-45288.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2023-45290.patch: net/textproto,
      mime/multipart: avoid unbounded read in MIME header
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
      key is non-nil before interface conversion
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in
      nested element lists
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
      cases when checking ignore depth
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add
      parsing limits
    - CVE-2023-39323
    - CVE-2022-41723
    - CVE-2022-41724
    - CVE-2022-41725
    - CVE-2023-24536
    - CVE-2023-45288
    - CVE-2023-45290
    - CVE-2024-24783
    - CVE-2024-24784
    - CVE-2024-24789
    - CVE-2024-24791
    - CVE-2024-34155
    - CVE-2024-34156
    - CVE-2024-34158
  * debian/source/include-binaries:
    src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789

 -- Allen Huang <email address hidden> Tue, 05 Nov 2024 15:09:19 +0000
Source diff to previous version
CVE-2022-41723 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small
CVE-2022-41724 Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients
CVE-2022-41725 A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader
CVE-2023-24536 Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems fro
CVE-2023-39323 Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed
CVE-2023-45288 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining
CVE-2023-45290 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ
CVE-2024-24783 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects
CVE-2024-24784 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi
CVE-2024-24789 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou
CVE-2024-24791 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational
CVE-2024-34155 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202
CVE-2024-34158 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Version: 1.17.13-3ubuntu1.2 2024-10-10 12:07:13 UTC

  golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24538.patch: html/template: disallow
      actions in JS template literals
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections. Thanks to Tang Xi from OpenEuler for the backport.
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - CVE-2023-24531
    - CVE-2023-24538
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39325
    - CVE-2024-24785
  * debian/patches/0007-backport-syscall-package-1.patch,
    debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.

 -- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100
CVE-2023-24531 Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou
CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6,
CVE-2023-29402 The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses
CVE-2023-29403 On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case
CVE-2023-29404 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29405 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29406 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire
CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus
CVE-2023-39319 The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script
CVE-2023-39325 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total
CVE-2024-24785 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html


About   -   Send Feedback to @ubuntu_updates