Package golang updated to version 1.23.1-alt1 for branch p11 in task 356934.

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34155

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

References:

https://go.dev/cl/611238
https://go.dev/issue/69138
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3105
https://security.netapp.com/advisory/ntap-20240926-0005/

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34156

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

References:

https://go.dev/cl/611239
https://go.dev/issue/69139
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3106
https://security.netapp.com/advisory/ntap-20240926-0004/

Published: 2024-09-07
Modified: 2024-11-21

CVE-2024-34158

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

References:

https://go.dev/cl/611240
https://go.dev/issue/69141
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3107
https://security.netapp.com/advisory/ntap-20241004-0003/

Version: 2.1.0

Package golang update in p11 on 2024-09-13

ALT-PU-2024-12198-2

Closed vulnerabilities

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158