Branch sisyphus_mipsel update bulletin.

Package golang updated to version 1.18.3-alt1 for branch sisyphus_mipsel.

Published: 2022-08-10
Modified: 2024-11-21

CVE-2022-29804

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Published: 2022-08-10
Modified: 2024-11-21

CVE-2022-30580

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2022-08-10
Modified: 2024-11-21

CVE-2022-30629

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

Severity: LOW (3.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References:

Published: 2022-07-15
Modified: 2024-11-21

CVE-2022-30634

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.0

Branch sisyphus_mipsel update on 2022-06-13

ALT-BU-2022-5194-1

ALT-PU-2022-5193-1

Closed vulnerabilities

CVE-2022-29804

CVE-2022-30580

CVE-2022-30629

CVE-2022-30634