Package "golang-1.17-go"
Name: |
golang-1.17-go
|
Description: |
Go programming language compiler, linker, compiled stdlib
|
Latest version: |
1.17.13-3ubuntu1.2 |
Release: |
jammy (22.04) |
Level: |
security |
Repository: |
universe |
Head package: |
golang-1.17 |
Homepage: |
https://go.dev/ |
Links
Download "golang-1.17-go"
Other versions of "golang-1.17-go" in Jammy
Changelog
golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Code Injection, XSS, Denial of Service
- debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
outputs
- debian/patches/CVE-2023-24538.patch: html/template: disallow
actions in JS template literals
- debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
directories containing newlines
- debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
protections. Thanks to Tang Xi from OpenEuler for the backport.
- debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
non-optional arguments
- debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
_cgo_flags use one line per flag
- debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
_cgo_flags output
- debian/patches/CVE-2023-29406.patch: net/http: validate Host
header before sending
- debian/patches/CVE-2023-39318.patch: html/template: support
HTML-like comments in script contexts
- debian/patches/CVE-2023-39319.patch: html/template: properly
handle special tags within the script context
- debian/patches/CVE-2023-39325.patch: net/http: regenerate
h2_bundle.go
- debian/patches/CVE-2024-24785.patch: html/template: escape
additional tokens in MarshalJSON errors
- CVE-2023-24531
- CVE-2023-24538
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
- CVE-2023-29406
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39325
- CVE-2024-24785
* debian/patches/0007-backport-syscall-package-1.patch,
debian/patches/0008-backport-syscall-package-2.patch,
debian/patches/0009-backport-syscall-package-3.patch,
debian/patches/0010-backport-syscall-package-4.patch,
debian/patches/0011-backport-syscall-package-5.patch,
debian/patches/0012-backport-syscall-package-6.patch: backport
syscall pacakge for the fix for CVE-2023-29403 from upstream.
-- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100
|
CVE-2023-24531 |
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou |
CVE-2023-24538 |
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, |
CVE-2023-29402 |
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses |
CVE-2023-29403 |
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case |
CVE-2023-29404 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29405 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29406 |
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire |
CVE-2023-39318 |
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus |
CVE-2023-39319 |
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script |
CVE-2023-39325 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total |
CVE-2024-24785 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html |
|
About
-
Send Feedback to @ubuntu_updates