[ubuntu/jammy-security] golang-1.17 1.17.13-3ubuntu1.3 (Accepted)

Allen Huang allen.huang at canonical.com
Thu Nov 14 17:16:12 UTC 2024 

golang-1.17 (1.17.13-3ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection and Denial of Service
    - debian/patches/CVE-2022-41723.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2022-41724.patch: crypto/tls: replace all
      usages of BytesOrPanic
    - debian/patches/CVE-2022-41725.patch: mime/multipart: limit
      memory/inode consumption of ReadForm
    - debian/patches/CVE-2023-24536.patch: mime/multipart: limit parsed
      mime message sizes
    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute
      file name in isCgo check
    - debian/patches/CVE-2023-45288.patch: net/http: update bundled
      golang.org/x/net/http2
    - debian/patches/CVE-2023-45290.patch: net/textproto,
      mime/multipart: avoid unbounded read in MIME header
    - debian/patches/CVE-2024-24783.patch: crypto/x509: make sure pub
      key is non-nil before interface conversion
    - debian/patches/CVE-2024-24784.patch: net/mail: properly handle
      special characters in phrase and obs-phrase
    - debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
      EOCDR comment as an error
    - debian/patches/CVE-2024-24791.patch: net/http: send body or close
      connection on expect-100-continue requests
    - debian/patches/CVE-2024-34155.patch: go/parser: track depth in
      nested element lists
    - debian/patches/CVE-2024-34156.patch: encoding/gob: cover missed
      cases when checking ignore depth
    - debian/patches/CVE-2024-34158.patch: go/build/constraint: add
      parsing limits
    - CVE-2023-39323
    - CVE-2022-41723
    - CVE-2022-41724
    - CVE-2022-41725
    - CVE-2023-24536
    - CVE-2023-45288
    - CVE-2023-45290
    - CVE-2024-24783
    - CVE-2024-24784
    - CVE-2024-24789
    - CVE-2024-24791
    - CVE-2024-34155
    - CVE-2024-34156
    - CVE-2024-34158
  * debian/source/include-binaries:
    src/archive/zip/testdata/comment-truncated.zip for CVE-2024-24789

Date: 2024-11-14 15:47:11.604706+00:00
Changed-By: Allen Huang <allen.huang at canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.17/1.17.13-3ubuntu1.3
-------------- next part --------------
Sorry, changesfile not available.

More information about the jammy-changes mailing list