[ubuntu/jammy-security] golang-1.17 1.17.13-3ubuntu1.2 (Accepted)

Allen Huang allen.huang at canonical.com
Thu Oct 10 10:24:28 UTC 2024


golang-1.17 (1.17.13-3ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Code Injection, XSS, Denial of Service
    - debian/patches/CVE-2023-24531.patch: cmd/go: sanitize go env
      outputs
    - debian/patches/CVE-2023-24538.patch: html/template: disallow
      actions in JS template literals
    - debian/patches/CVE-2023-29402.patch: cmd/go: disallow package
      directories containing newlines
    - debian/patches/CVE-2023-29403.patch: runtime: implement SUID/SGID
      protections. Thanks to Tang Xi from OpenEuler for the backport.
    - debian/patches/CVE-2023-29404.patch: cmd/go: enforce flags with
      non-optional arguments
    - debian/patches/CVE-2023-29405-1.patch: cmd/go,cmd/cgo: in
      _cgo_flags use one line per flag
    - debian/patches/CVE-2023-29405-2.patch: cmd/cgo: correct
      _cgo_flags output
    - debian/patches/CVE-2023-29406.patch: net/http: validate Host
      header before sending
    - debian/patches/CVE-2023-39318.patch: html/template: support
      HTML-like comments in script contexts
    - debian/patches/CVE-2023-39319.patch: html/template: properly
      handle special tags within the script context
    - debian/patches/CVE-2023-39325.patch: net/http: regenerate
      h2_bundle.go
    - debian/patches/CVE-2024-24785.patch: html/template: escape
      additional tokens in MarshalJSON errors
    - CVE-2023-24531
    - CVE-2023-24538
    - CVE-2023-29402
    - CVE-2023-29403
    - CVE-2023-29404
    - CVE-2023-29405
    - CVE-2023-29406
    - CVE-2023-39318
    - CVE-2023-39319
    - CVE-2023-39325
    - CVE-2024-24785
  * debian/patches/0007-backport-syscall-package-1.patch,
    debian/patches/0008-backport-syscall-package-2.patch,
    debian/patches/0009-backport-syscall-package-3.patch,
    debian/patches/0010-backport-syscall-package-4.patch,
    debian/patches/0011-backport-syscall-package-5.patch,
    debian/patches/0012-backport-syscall-package-6.patch: backport
    syscall pacakge for the fix for CVE-2023-29403 from upstream.

Date: 2024-10-09 14:53:22.785163+00:00
Changed-By: Allen Huang <allen.huang at canonical.com>
https://launchpad.net/ubuntu/+source/golang-1.17/1.17.13-3ubuntu1.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the jammy-changes mailing list