UbuntuUpdates.org

Package "golang-1.17-src"

Name: golang-1.17-src

Description:

Go programming language - source files
Latest version: 1.17.13-3ubuntu1.3
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: golang-1.17
Homepage: https://go.dev/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "golang-1.17-src"

All arch deb package
APT INSTALL

Other versions of "golang-1.17-src" in Jammy

Repository Area Version
base universe 1.17.3-1ubuntu2
security universe 1.17.13-3ubuntu1.3

Changelog

Version: 1.17.13-3ubuntu1.3 2024-11-14 21:06:54 UTC

  golang-1.17 (1.17.13-3ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection and Denial of Service
    - debian/patches/CVE-2022-41723.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
      usages of BytesOrPanic
    - debian/patches/CVE-2022-41725.patch: mime/multipart: limit
      memory/inode consumption of ReadForm
    - debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
      mime message sizes
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
      file name in isCgo check
    - debian/patches/CVE-2023-45288.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2023-45290.patch: net/textproto,
      mime/multipart: avoid unbounded read in MIME header
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
      key is non-nil before interface conversion
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in
      nested element lists
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
      cases when checking ignore depth
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add
      parsing limits
    - CVE-2023-39323
    - CVE-2022-41723
    - CVE-2022-41724
    - CVE-2022-41725
    - CVE-2023-24536
    - CVE-2023-45288
    - CVE-2023-45290
    - CVE-2024-24783
    - CVE-2024-24784
    - CVE-2024-24789
    - CVE-2024-24791
    - CVE-2024-34155
    - CVE-2024-34156
    - CVE-2024-34158
  * debian/source/include-binaries:
    src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789

 -- Allen Huang <email address hidden> Tue, 05 Nov 2024 15:09:19 +0000
Source diff to previous version
CVE-2022-41723 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small
CVE-2022-41724 Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients
CVE-2022-41725 A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader
CVE-2023-24536 Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems fro
CVE-2023-39323 Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed
CVE-2023-45288 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining
CVE-2023-45290 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ
CVE-2024-24783 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects
CVE-2024-24784 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi
CVE-2024-24789 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou
CVE-2024-24791 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational
CVE-2024-34155 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202
CVE-2024-34158 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Version: 1.17.13-3ubuntu1.2 2024-10-10 13:07:06 UTC

  golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24538.patch: html/template: disallow
      actions in JS template literals
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections. Thanks to Tang Xi from OpenEuler for the backport.
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - CVE-2023-24531
    - CVE-2023-24538
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39325
    - CVE-2024-24785
  * debian/patches/0007-backport-syscall-package-1.patch,
    debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.

 -- Allen Huang <email address hidden> Tue, 24 Sep 2024 14:26:38 +0100
Source diff to previous version
CVE-2023-24531 Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou
CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6,
CVE-2023-29402 The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses
CVE-2023-29403 On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain case
CVE-2023-29404 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29405 The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a
CVE-2023-29406 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire
CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may caus
CVE-2023-39319 The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script
CVE-2023-39325 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total
CVE-2024-24785 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html

Version: 1.17.13-3ubuntu1 2022-11-23 05:07:20 UTC

  golang-1.17 (1.17.13-3ubuntu1) jammy; urgency=medium

  * Merge from Debian unstable (LP: #1990893). Remaining changes:
    - 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
      disable internal linking when dynamically linking and CGO_CFLAGS
      contains flags that might make host object files that the internal
      linkers ELF reader does not support. This fixes lots of package builds
      when LTO is enabled by default via dpkg-buildflags.
    - d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
      compressed.

 -- William 'jawn-smith' Wilson <email address hidden> Mon, 03 Oct 2022 14:33:32 -0500
1990893 Upgrade to 1.17.13


About   -   Send Feedback to @ubuntu_updates