VYPR

rpm package

opensuse/go1.11&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/go1.11&distro=openSUSE%20Tumbleweed

Vulnerabilities (15)

  • CVE-2019-9514HigAug 13, 2019
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer

  • CVE-2019-9512HigAug 13, 2019
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum

  • CVE-2019-14809CriAug 13, 2019
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number

  • CVE-2019-6486HigJan 24, 2019
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

  • CVE-2018-16875MedDec 14, 2018
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates

  • CVE-2018-16874HigDec 14, 2018
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but

  • CVE-2018-16873HigDec 14, 2018
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA

  • CVE-2018-6574HigFeb 7, 2018
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

  • CVE-2017-15042MedOct 5, 2017
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement,

  • CVE-2017-15041CriOct 5, 2017
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository in

  • CVE-2017-8932MedJul 6, 2017
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input

  • CVE-2016-5386HigJul 19, 2016
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to

  • CVE-2016-3959HigMay 23, 2016
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses

  • CVE-2015-8618HigJan 27, 2016
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.

  • CVE-2014-7189Oct 7, 2014
    affected < 1.11.13-10.5fixed 1.11.13-10.5

    crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.