Package golang updated to version 1.8.1-alt1 for branch sisyphus in task 181473.

Published: 2017-10-05
Modified: 2024-11-21

CVE-2017-1000097

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

https://github.com/golang/go/issues/18141
https://github.com/golang/go/issues/18141
https://go-review.googlesource.com/c/33721/
https://go-review.googlesource.com/c/33721/
https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ

Published: 2017-10-05
Modified: 2024-11-21

CVE-2017-1000098

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

https://golang.org/cl/30410
https://golang.org/cl/30410
https://golang.org/issue/17965
https://golang.org/issue/17965
https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ

Version: 2.1.0

Package golang update in sisyphus on 2017-04-08

ALT-PU-2017-1440-1

Closed vulnerabilities

CVE-2017-1000097

CVE-2017-1000098