[ubuntu/bionic-updates] golang-1.18 1.18.1-1ubuntu1~18.04.4 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Tue Apr 25 13:28:40 UTC 2023 

golang-1.18 (1.18.1-1ubuntu1~18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: http request smuggling issue
    - debian/patches/CVE-2022-1705.patch: don't strip whitespace from
      Transfer-Encoding headers
    - CVE-2022-1705
  * SECURITY UPDATE: DoS issue due to panic
    - debian/patches/CVE-2022-1962.patch: limit recursion depth
    - debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2
    - debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
      recursive
    - debian/patches/CVE-2022-30630.patch: fix stack exhaustion in Glob
    - debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
      Reader.Read
    - debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob
    - debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal
    - debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields
    - debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode
    - debian/patches/CVE-2022-41715.patch: limit size of parsed regexps
    - debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2
    - debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
      MIME header keys
    - CVE-2022-1962
    - CVE-2022-27664
    - CVE-2022-28131
    - CVE-2022-30630
    - CVE-2022-30631
    - CVE-2022-30632
    - CVE-2022-30633
    - CVE-2022-30635
    - CVE-2022-32189
    - CVE-2022-41715
    - CVE-2022-41717
    - CVE-2023-24534
  * SECURITY UPDATE: out-of-bound read issue
    - debian/patches/CVE-2022-2879.patch: limit size of headers
    - CVE-2022-2879
  * SECURITY UPDATE: query parameter smuggling issue in Go proxy
    - debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling
    - CVE-2022-2880
  * SECURITY UPDATE: Incorrect privilege assignment issue
    - debian/patches/CVE-2022-29526.patch: check correct group in Faccessat
    - CVE-2022-29526
  * SECURITY UPDATE: tls session takeover vulnerability
    - debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add
    - CVE-2022-30629
  * SECURITY UPDATE: sensitive information exposure
    - debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone
    - CVE-2022-32148
  * SECURITY UPDATE: integer overflow issue
    - debian/patches/CVE-2023-24537.patch: reject large line and column number
      in //line directives
    - CVE-2023-24537
  * SECURITY UPDATE: code injection vulnerability
    - debian/patches/CVE-2023-24538.patch: disallow actions in JS template
      literals
    - debian/patches/godebug_dep_test_error.patch: fix test dependency error
    - CVE-2023-24538

Date: 2023-04-25 02:50:16.708444+00:00
Changed-By: Nishit Majithia <nishit.majithia at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~18.04.4
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list