Package golang updated to version 1.22.7-alt1 for branch c10f2 in task 356932.

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34155

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

References:

https://go.dev/cl/611238
https://go.dev/issue/69138
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3105
https://security.netapp.com/advisory/ntap-20240926-0005/

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34156

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

References:

https://go.dev/cl/611239
https://go.dev/issue/69139
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3106
https://security.netapp.com/advisory/ntap-20240926-0004/

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34158

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

References:

https://go.dev/cl/611240
https://go.dev/issue/69141
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3107
https://security.netapp.com/advisory/ntap-20241004-0003/

Version: 2.1.0

Package golang update in c10f2 on 2024-09-06

ALT-PU-2024-12163-2

Closed vulnerabilities

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158