apk package

chainguard/go-1.23

pkg:apk/chainguard/go-1.23

Vulnerabilities (6)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-4673	Med	6.8	< 1.23.10-r0	1.23.10-r0	Jun 11, 2025	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874	Hig	7.5	< 1.23.10-r0	1.23.10-r0	Jun 11, 2025	Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-22866	Med	4.0	< 1.23.6-r0	1.23.6-r0	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-34158	Hig	7.5	< 1.23.1-r0	1.23.1-r0	Sep 6, 2024	Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156	Hig	7.5	< 1.23.1-r0	1.23.1-r0	Sep 6, 2024	Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155	Med	4.3	< 1.23.1-r0	1.23.1-r0	Sep 6, 2024	Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

CVE-2025-4673MedJun 11, 2025
affected < 1.23.10-r0fixed 1.23.10-r0
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874HigJun 11, 2025
affected < 1.23.10-r0fixed 1.23.10-r0
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-22866MedFeb 6, 2025
affected < 1.23.6-r0fixed 1.23.6-r0
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-34158HigSep 6, 2024
affected < 1.23.1-r0fixed 1.23.1-r0
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156HigSep 6, 2024
affected < 1.23.1-r0fixed 1.23.1-r0
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155MedSep 6, 2024
affected < 1.23.1-r0fixed 1.23.1-r0
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.