ALT Linux Team

Branch sisyphus update on 2021-02-20

2021-02-20

ALT-BU-2021-3754-1

Branch sisyphus update bulletin.

ALT-PU-2021-1376-1

Package golang updated to version 1.16-alt1 for branch sisyphus in task 266604.

Closed vulnerabilities

Published: 2021-07-15

BDU:2022-00715

Уязвимость пакета crypto/tls языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2021-08-02

BDU:2022-00723

Уязвимость компонента math/big.Rat и метода unmarshaltext языка программирования Go, позволяющая нарушителю вызвать аварийный сбой и перезапуск устройства

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-05-18

BDU:2022-01685

Уязвимость компонента archive/zip языка программирования Golang, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-08-02

BDU:2022-01781

Уязвимость компонента net/http/httputil языка программирования Golang, позволяющая нарушителю оказать воздействие на целостность данных

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References:
Published: 2021-08-02

BDU:2022-01783

Уязвимость функций net.Lookup{Addr,CNAME,Host} языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Severity: HIGH (7.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2021-03-11
Modified: 2024-11-21

CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-05-27
Modified: 2024-11-21

CVE-2021-31525

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-05-26
Modified: 2024-11-21

CVE-2021-33194

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-08-02
Modified: 2024-11-21

CVE-2021-33195

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

Severity: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2021-08-02
Modified: 2024-11-21

CVE-2021-33196

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-08-02
Modified: 2024-11-21

CVE-2021-33197

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References:
Published: 2021-08-02
Modified: 2024-11-21

CVE-2021-33198

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-07-15
Modified: 2024-11-21

CVE-2021-34558

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2021-08-08
Modified: 2024-11-21

CVE-2021-36221

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top