[ubuntu/focal-updates] golang-1.18 1.18.1-1ubuntu1~20.04.3 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Thu Nov 14 11:58:30 UTC 2024


golang-1.18 (1.18.1-1ubuntu1~20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2022-41723.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
      usages of BytesOrPanic
    - debian/patches/CVE-2022-41725.patch: mime/multipart: limit
      memory/inode consumption of ReadForm
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
      mime message sizes
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
      file name in isCgo check
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2023-45288.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2023-45290.patch: net/textproto,
      mime/multipart: avoid unbounded read in MIME header
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
      key is non-nil before interface conversion
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/patches/CVE-2024-24790.patch: net/netip: check if address
      is v6 mapped in Is methods
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in
      nested element lists
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
      cases when checking ignore depth
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add
      parsing limits
    - CVE-2022-41723
    - CVE-2022-41724
    - CVE-2022-41725
    - CVE-2023-24531
    - CVE-2023-24536
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39323
    - CVE-2023-39325
    - CVE-2023-45288
    - CVE-2023-45290
    - CVE-2024-24783
    - CVE-2024-24784
    - CVE-2024-24785
    - CVE-2024-24789
    - CVE-2024-24790
    - CVE-2024-24791
    - CVE-2024-34155
    - CVE-2024-34156
    - CVE-2024-34158
  * debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.
  * debian/source/include-binaries:
    src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789

Date: 2024-11-11 11:39:09.971267+00:00
Changed-By: Allen Huang <allen.huang at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~20.04.3
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list