rpm package
almalinux/git-lfs
pkg:rpm/almalinux/git-lfs
Vulnerabilities (33)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-39321 | — | < 3.6.1-1.el9 | 3.6.1-1.el9 | Sep 8, 2023 | Processing an incomplete post-handshake message for a QUIC connection can cause a panic. | ||
| CVE-2022-41717 | — | < 3.2.0-1.el9 | 3.2.0-1.el9 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-41715 | — | < 3.2.0-1.el9 | 3.2.0-1.el9 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 3.2.0-1.el9 | 3.2.0-1.el9 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-27664 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-32148 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the | ||
| CVE-2022-32189 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. | ||
| CVE-2022-30630 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||
| CVE-2022-1705 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||
| CVE-2022-30635 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||
| CVE-2022-30632 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Aug 9, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | ||
| CVE-2020-28852 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Jan 2, 2021 | In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||
| CVE-2020-28851 | — | < 2.13.3-3.el8_6 | 2.13.3-3.el8_6 | Jan 2, 2021 | In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) |
- CVE-2023-39321Sep 8, 2023affected < 3.6.1-1.el9fixed 3.6.1-1.el9
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
- CVE-2022-41717Dec 8, 2022affected < 3.2.0-1.el9fixed 3.2.0-1.el9
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-41715Oct 14, 2022affected < 3.2.0-1.el9fixed 3.2.0-1.el9
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 3.2.0-1.el9fixed 3.2.0-1.el9
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-27664Sep 6, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-32148Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the
- CVE-2022-32189Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
- CVE-2022-30630Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- CVE-2022-1705Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- CVE-2022-30635Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- CVE-2022-30632Aug 9, 2022affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
- CVE-2020-28852Jan 2, 2021affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
- CVE-2020-28851Jan 2, 2021affected < 2.13.3-3.el8_6fixed 2.13.3-3.el8_6
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Page 2 of 2