[ubuntu/focal-security] golang-1.18 1.18.1-1ubuntu1~20.04.3 (Accepted)
Allen Huang
allen.huang at canonical.com
Thu Nov 14 10:20:38 UTC 2024
golang-1.18 (1.18.1-1ubuntu1~20.04.3) focal-security; urgency=medium
* SECURITY UPDATE: Code Injection, XSS, Denial of Service
- debian/patches/CVE-2022-41723.patch: net/http: update bundled
golang.org/x/net/http2
- debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
usages of BytesOrPanic
- debian/patches/CVE-2022-41725.patch: mime/multipart: limit
memory/inode consumption of ReadForm
- debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
outputs
- debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
mime message sizes
- debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
directories containing newlines
- debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
protections
- debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
non-optional arguments
- debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
_cgo_flags use one line per flag
- debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
_cgo_flags output
- debian/patches/CVE-2023-29406.patch: net/http: validate Host
header before sending
- debian/patches/CVE-2023-39318.patch: html/template: support
HTML-like comments in script contexts
- debian/patches/CVE-2023-39319.patch: html/template: properly
handle special tags within the script context
- debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
file name in isCgo check
- debian/patches/CVE-2023-39325.patch: net/http: regenerate
h2_bundle.go
- debian/patches/CVE-2023-45288.patch: net/http: update bundled
golang.org/x/net/http2
- debian/patches/CVE-2023-45290.patch: net/textproto,
mime/multipart: avoid unbounded read in MIME header
- debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
key is non-nil before interface conversion
- debian/patches/CVE-2024-24784.patch: net/mail: properly handle
special characters in phrase and obs-phrase
- debian/patches/CVE-2024-24785.patch: html/template: escape
additional tokens in MarshalJSON errors
- debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
EOCDR comment as an error
- debian/patches/CVE-2024-24790.patch: net/netip: check if address
is v6 mapped in Is methods
- debian/patches/CVE-2024-24791.patch: net/http: send body or close
connection on expect-100-continue requests
- debian/patches/CVE-2024-34155.patch: go/parser: track depth in
nested element lists
- debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
cases when checking ignore depth
- debian/patches/CVE-2024-34158.patch: go/build/constraint: add
parsing limits
- CVE-2022-41723
- CVE-2022-41724
- CVE-2022-41725
- CVE-2023-24531
- CVE-2023-24536
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
- CVE-2023-29406
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39323
- CVE-2023-39325
- CVE-2023-45288
- CVE-2023-45290
- CVE-2024-24783
- CVE-2024-24784
- CVE-2024-24785
- CVE-2024-24789
- CVE-2024-24790
- CVE-2024-24791
- CVE-2024-34155
- CVE-2024-34156
- CVE-2024-34158
* debian/patches/0008-backport-syscall-package-2.patch,
debian/patches/0009-backport-syscall-package-3.patch,
debian/patches/0010-backport-syscall-package-4.patch,
debian/patches/0011-backport-syscall-package-5.patch,
debian/patches/0012-backport-syscall-package-6.patch: backport
syscall pacakge for the fix for CVE-2023-29403 from upstream.
* debian/source/include-binaries:
src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789
Date: 2024-11-11 11:39:09.971267+00:00
Changed-By: Allen Huang <allen.huang at canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~20.04.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list