Package "golang-1.17"
Name: |
golang-1.17
|
Description: |
Go programming language compiler - metapackage
|
Latest version: |
1.17.13-3ubuntu1.3 |
Release: |
jammy (22.04) |
Level: |
updates |
Repository: |
universe |
Homepage: |
https://go.dev/ |
Links
Download "golang-1.17"
Other versions of "golang-1.17" in Jammy
Packages in group
Deleted packages are displayed in grey.
Changelog
golang-1.17 (1.17.13-3ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: Code Injection and Denial of Service
- debian/patches/CVE-2022-41723.patch: net/http: update bundled
golang.org/x/net/http2
- debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
usages of BytesOrPanic
- debian/patches/CVE-2022-41725.patch: mime/multipart: limit
memory/inode consumption of ReadForm
- debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
mime message sizes
- debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
file name in isCgo check
- debian/patches/CVE-2023-45288.patch: net/http: update bundled
golang.org/x/net/http2
- debian/patches/CVE-2023-45290.patch: net/textproto,
mime/multipart: avoid unbounded read in MIME header
- debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
key is non-nil before interface conversion
- debian/patches/CVE-2024-24784.patch: net/mail: properly handle
special characters in phrase and obs-phrase
- debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
EOCDR comment as an error
- debian/patches/CVE-2024-24791.patch: net/http: send body or close
connection on expect-100-continue requests
- debian/patches/CVE-2024-34155.patch: go/parser: track depth in
nested element lists
- debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
cases when checking ignore depth
- debian/patches/CVE-2024-34158.patch: go/build/constraint: add
parsing limits
- CVE-2023-39323
- CVE-2022-41723
- CVE-2022-41724
- CVE-2022-41725
- CVE-2023-24536
- CVE-2023-45288
- CVE-2023-45290
- CVE-2024-24783
- CVE-2024-24784
- CVE-2024-24789
- CVE-2024-24791
- CVE-2024-34155
- CVE-2024-34156
- CVE-2024-34158
* debian/source/include-binaries:
src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789
-- Allen Huang <email address hidden> Tue, 05 Nov 2024 15:09:19 +0000
|
Source diff to previous version |
CVE-2022-41723 |
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small |
CVE-2022-41724 |
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients |
CVE-2022-41725 |
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader |
CVE-2023-24536 |
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems fro |
CVE-2023-39323 |
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed |
CVE-2023-45288 |
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining |
CVE-2023-45290 |
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ |
CVE-2024-24783 |
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects |
CVE-2024-24784 |
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi |
CVE-2024-24789 |
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou |
CVE-2024-24791 |
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational |
CVE-2024-34155 |
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. |
CVE-2024-34156 |
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202 |
CVE-2024-34158 |
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. |
|
golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Code Injection, XSS, Denial of Service
- debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
outputs
- debian/patches/CVE-2023-24538.patch: html/template: disallow
actions in JS template literals
- debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
directories containing newlines
- debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
protections. Thanks to Tang Xi from OpenEuler for the backport.
- debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
non-optional arguments
- debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
_cgo_flags use one line per flag
- debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
_cgo_flags output
- debian/patches/CVE-2023-29406.patch: net/http: validate Host
header before sending
- debian/patches/CVE-2023-39318.patch: html/template: support
HTML-like comments in script contexts
- debian/patches/CVE-2023-39319.patch: html/template: properly
handle special tags within the script context
- debian/patches/CVE-2023-39325.patch: net/http: regenerate
h2_bundle.go
- debian/patches/CVE-2024-24785.patch: html/template: escape
additional tokens in MarshalJSON errors
- CVE-2023-24531
- CVE-2023-24538
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
- CVE-2023-29406
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39325
- CVE-2024-24785
* debian/patches/0007-backport-syscall-package-1.patch,
debian/patches/0008-backport-syscall-package-2.patch,
debian/patches/0009-backport-syscall-package-3.patch,
debian/patches/0010-backport-syscall-package-4.patch,
debian/patches/0011-backport-syscall-package-5.patch,
debian/patches/0012-backport-syscall-package-6.patch: backport
syscall pacakge for the fix for CVE-2023-29403 from upstream.
-- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100
|
Source diff to previous version |
CVE-2023-24531 |
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou |
CVE-2023-24538 |
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, |
CVE-2023-29402 |
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses |
CVE-2023-29403 |
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case |
CVE-2023-29404 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29405 |
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a |
CVE-2023-29406 |
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire |
CVE-2023-39318 |
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus |
CVE-2023-39319 |
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script |
CVE-2023-39325 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total |
CVE-2024-24785 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html |
|
golang-1.17 (1.17.13-3ubuntu1) jammy; urgency=medium
* Merge from Debian unstable (LP: #1990893). Remaining changes:
- 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
-- William 'jawn-smith' Wilson <email address hidden> Mon, 03 Oct 2022 14:33:32 -0500
|
|
About
-
Send Feedback to @ubuntu_updates