[ubuntu/jammy-security] golang-1.13 1.13.8-1ubuntu2.22.04.2 (Accepted)
David Fernandez Gonzalez
david.fernandezgonzalez at canonical.com
Tue Jan 9 12:47:23 UTC 2024
golang-1.13 (1.13.8-1ubuntu2.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: http request smuggling issue
- debian/patches/CVE-2022-1705.patch: don't strip whitespace from
Transfer-Encoding headers.
- CVE-2022-1705
* SECURITY UPDATE: DoS issue due to panic
- debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2.
- debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
recursive.
- debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
Reader.Read.
- debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob.
- debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal.
- debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields.
- debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode.
- debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2.
- debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
MIME header keys.
- CVE-2022-27664
- CVE-2022-28131
- CVE-2022-30631
- CVE-2022-30632
- CVE-2022-30633
- CVE-2022-30635
- CVE-2022-32189
- CVE-2022-41717
- CVE-2023-24534
* SECURITY UPDATE: out-of-bound read issue
- debian/patches/CVE-2022-2879.patch: limit size of headers.
- debian/source/include-binaries: add test file bz2
pax-bad-hdr-large.tar.bz2.
- CVE-2022-2879
* SECURITY UPDATE: query parameter smuggling issue in Go proxy
- debian/patches/CVE-2022-2880-pre.patch: reject query values with
semicolons.
- debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling.
- CVE-2022-2880
* SECURITY UPDATE: tls session takeover vulnerability
- debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add.
- CVE-2022-30629
* SECURITY UPDATE: sensitive information exposure
- debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone.
- CVE-2022-32148
* SECURITY UPDATE: integer overflow issue
- debian/patches/CVE-2023-24537.patch: reject large line and column number
in //line directives.
- CVE-2023-24537
* SECURITY UPDATE: code injection vulnerability
- debian/patches/CVE-2023-24538.patch: disallow actions in JS template
literals.
- CVE-2023-24538
Date: 2024-01-09 09:32:12.034524+00:00
Changed-By: David Fernandez Gonzalez <david.fernandezgonzalez at canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.13/1.13.8-1ubuntu2.22.04.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list