Package "golang-1.21-go"
Name: |
golang-1.21-go
|
Description: |
Go programming language compiler, linker, compiled stdlib
|
Latest version: |
1.21.1-1~ubuntu22.04.3 |
Release: |
jammy (22.04) |
Level: |
updates |
Repository: |
universe |
Head package: |
golang-1.21 |
Homepage: |
https://go.dev/ |
Links
Download "golang-1.21-go"
Other versions of "golang-1.21-go" in Jammy
Changelog
golang-1.21 (1.21.1-1~ubuntu22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2023-45288.patch: update bundled golang.org/x/net/http2
- CVE-2023-45288
* SECURITY UPDATE: leak sensitive information
- debian/patches/CVE-2023-45289.patch: net/http, net/http/cookiejar:
avoid subdomain matches on IPv6 zones
- CVE-2023-45289
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2023-45290.patch: net/textproto, mime/multipart:
avoid unbounded read in MIME header
- CVE-2023-45290
* SECURITY UPDATE: panic on unknown public key algorithm
- debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub key
is non-nil before interface conversion
- CVE-2024-24783
* SECURITY UPDATE: panic on handling special characters
- debian/patches/CVE-2024-24784.patch: net/mail: properly handle
special characters in phrase and obs-phrase
- CVE-2024-24784
* SECURITY UPDATE: template injection issue
- debian/patches/CVE-2024-24785.patch: html/template: escape additional
tokens in MarshalJSON errors
- CVE-2024-24785
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
EOCDR comment as an error
- debian/source/include-binaries: Add zip testdata file
- CVE-2024-24789
* SECURITY UPDATE: incorrect IPv4-mapped IPv6 addresses issue
- debian/patches/CVE-2024-24790.patch: net/netip: check if address is
v6 mapped in Is methods
- CVE-2024-24790
-- Nishit Majithia <email address hidden> Mon, 08 Jul 2024 17:25:00 +0530
|
Source diff to previous version |
CVE-2023-45288 |
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining |
CVE-2023-45289 |
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sens |
CVE-2023-45290 |
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Requ |
CVE-2024-24783 |
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects |
CVE-2024-24784 |
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conformi |
CVE-2024-24785 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html |
CVE-2024-24789 |
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou |
CVE-2024-24790 |
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which woul |
|
golang-1.21 (1.21.1-1~ubuntu22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: bypass directives restrictions
- debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute file
name in isCgo check
- CVE-2023-39323
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-39325_44487.patch: http2: limit maximum
handler goroutines to MaxConcurrentStreams
- CVE-2023-39325
- CVE-2023-44487
* SECURITY UPDATE: out-of-bound read
- debian/patches/CVE-2023-39326.patch: net/http: limit chunked data
overhead
- CVE-2023-39326
* SECURITY UPDATE: bypass secure protocol
- debian/patches/CVE-2023-45285.patch: error out if the requested repo
does not support a secure protocol
- CVE-2023-45285
-- Nishit Majithia <email address hidden> Mon, 08 Jan 2024 11:54:05 +0530
|
Source diff to previous version |
CVE-2023-39323 |
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed |
CVE-2023-39325 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total |
CVE-2023-44487 |
The HTTP/2 protocol allows a denial of service (server resource consum ... |
CVE-2023-39326 |
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network |
CVE-2023-45285 |
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via th |
|
golang-1.21 (1.21.1-1~ubuntu22.04.1) jammy; urgency=medium
* Backport to Jammy (LP: #2040269)
-- Shengjing Zhu <email address hidden> Wed, 25 Oct 2023 16:18:08 +0800
|
2040269 |
[SRU] backport golang-1.21 from mantic |
|
About
-
Send Feedback to @ubuntu_updates