Все бюллетени/p10/ALT-PU-2022-1707-2
ALT-PU-2022-1707-2

Обновление пакета golang в ветке p10

Версия1.17.9-alt1.p10
Задание#298503
Опубликовано2026-02-04
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (8)

BDU:2022-01896
HIGH7.5

Уязвимость компонентов net.ParseIP, net.ParseCIDR языка программирования Go, позволяющая нарушителю оказать воздействие на целостность данных

Опубликовано: 2022-04-07
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
Ссылки
CVE-2020-29509
MEDIUM5.6

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Опубликовано: 2020-12-14Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xСРЕДНЯЯ 5.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Ссылки
CVE-2020-29511
MEDIUM5.6

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Опубликовано: 2020-12-14Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xСРЕДНЯЯ 5.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Ссылки
CVE-2021-29923
HIGH7.5

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Опубликовано: 2021-08-07Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ссылки
CVE-2022-24675
HIGH7.5

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

Опубликовано: 2022-04-20Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2022-27536
HIGH7.5

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.

Опубликовано: 2022-04-20Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2022-28327
HIGH7.5

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

Опубликовано: 2022-04-20Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-xhqq-x44f-9fgg
CRITICAL9.8

Authentication Bypass in github.com/russellhaering/gosaml2

Опубликовано: 2022-02-12Изменено: 2021-05-22
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки