ALT Linux Team

Package golang update in p10 on 2022-04-18

ALT-PU-2022-1707-2

Package golang updated to version 1.17.9-alt1.p10 for branch p10 in task 298503.

Closed vulnerabilities

Published: 2022-04-07

BDU:2022-01896

Уязвимость компонентов net.ParseIP, net.ParseCIDR языка программирования Go, позволяющая нарушителю оказать воздействие на целостность данных

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N
References:
Published: 2020-12-14
Modified: 2024-11-21

CVE-2020-29509

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: MEDIUM (5.6)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2020-12-14
Modified: 2024-11-21

CVE-2020-29511

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: MEDIUM (5.6)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2021-08-07
Modified: 2024-11-21

CVE-2021-29923

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
Published: 2022-04-20
Modified: 2024-11-21

CVE-2022-24675

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-04-20
Modified: 2024-11-21

CVE-2022-27536

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-04-20
Modified: 2024-11-21

CVE-2022-28327

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-02-12
Modified: 2021-05-22

GHSA-xhqq-x44f-9fgg

Authentication Bypass in github.com/russellhaering/gosaml2

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top