UbuntuUpdates.org

Package "golang-1.22-src"

Name: golang-1.22-src

Description:

Go programming language - source files
Latest version: 1.22.2-2ubuntu0.3
Release: noble (24.04)
Level: security
Repository: main
Head package: golang-1.22
Homepage: https://go.dev/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "golang-1.22-src"

All arch deb package
APT INSTALL

Other versions of "golang-1.22-src" in Noble

Repository Area Version
base main 1.22.2-2
updates main 1.22.2-2ubuntu0.3

Changelog

Version: 1.22.2-2ubuntu0.3 2024-10-23 12:08:14 UTC

  golang-1.22 (1.22.2-2ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service issue when handling
    â€œExpect: 100-continue” headers
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests.
    - CVE-2024-24791
  * SECURITY UPDATE: denial of service issue when calling any Parse functions
    from stack exhaustion
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in nested
      element lists.
    - CVE-2024-34155
  * SECURITY UPDATE: denial of service issue when decoding a message from
    stack exhaustion
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed cases
      when checking ignore depth.
    - CVE-2024-34156
  * SECURITY UPDATE: denial of service issue when calling Parse on certain
    build tags from stack exhaustion
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add parsing
      limits.
    - CVE-2024-34158

 -- Evan Caville <email address hidden> Fri, 18 Oct 2024 10:25:58 +1100
Source diff to previous version
CVE-2024-24791 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational
CVE-2024-34155 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-202
CVE-2024-34158 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Version: 1.22.2-2ubuntu0.1 2024-07-09 15:07:16 UTC

  golang-1.22 (1.22.2-2ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2024-24788.patch: net: check SkipAdditional error
      result
    - CVE-2024-24788
  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/source/include-binaries: Add zip testdata file
    - CVE-2024-24789
  * SECURITY UPDATE: incorrect IPv4-mapped IPv6 addresses issue
    - debian/patches/CVE-2024-24790.patch: net/netip: check if address is
      v6 mapped in Is methods
    - CVE-2024-24790

 -- Nishit Majithia <email address hidden> Mon, 08 Jul 2024 17:42:31 +0530
CVE-2024-24788 A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2024-24789 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment cou
CVE-2024-24790 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which woul


About   -   Send Feedback to @ubuntu_updates