rpm package
opensuse/go1.12&distro=openSUSE Leap 15.1
pkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.1
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-17596 | — | < 1.12.12-lp151.2.25.1 | 1.12.12-lp151.2.25.1 | Oct 24, 2019 | Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. | ||
| CVE-2019-16276 | — | < 1.12.12-lp151.2.25.1 | 1.12.12-lp151.2.25.1 | Sep 30, 2019 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. | ||
| CVE-2019-14809 | — | < 1.12.9-lp151.2.9.1 | 1.12.9-lp151.2.9.1 | Aug 13, 2019 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number | ||
| CVE-2019-9512 | — | < 1.12.9-lp151.2.9.1 | 1.12.9-lp151.2.9.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum | ||
| CVE-2019-9514 | — | < 1.12.9-lp151.2.9.1 | 1.12.9-lp151.2.9.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer | ||
| CVE-2019-5736 | — | < 1.12.4-lp151.2.3.1 | 1.12.4-lp151.2.3.1 | Feb 11, 2019 | runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta | ||
| CVE-2019-6486 | — | < 1.12.4-lp151.2.3.1 | 1.12.4-lp151.2.3.1 | Jan 24, 2019 | Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. | ||
| CVE-2018-16875 | — | < 1.12.4-lp151.2.3.1 | 1.12.4-lp151.2.3.1 | Dec 14, 2018 | The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates | ||
| CVE-2018-16874 | — | < 1.12.4-lp151.2.3.1 | 1.12.4-lp151.2.3.1 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but | ||
| CVE-2018-16873 | — | < 1.12.4-lp151.2.3.1 | 1.12.4-lp151.2.3.1 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA |
- CVE-2019-17596Oct 24, 2019affected < 1.12.12-lp151.2.25.1fixed 1.12.12-lp151.2.25.1
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
- CVE-2019-16276Sep 30, 2019affected < 1.12.12-lp151.2.25.1fixed 1.12.12-lp151.2.25.1
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
- CVE-2019-14809Aug 13, 2019affected < 1.12.9-lp151.2.9.1fixed 1.12.9-lp151.2.9.1
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number
- CVE-2019-9512Aug 13, 2019affected < 1.12.9-lp151.2.9.1fixed 1.12.9-lp151.2.9.1
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum
- CVE-2019-9514Aug 13, 2019affected < 1.12.9-lp151.2.9.1fixed 1.12.9-lp151.2.9.1
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer
- CVE-2019-5736Feb 11, 2019affected < 1.12.4-lp151.2.3.1fixed 1.12.4-lp151.2.3.1
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta
- CVE-2019-6486Jan 24, 2019affected < 1.12.4-lp151.2.3.1fixed 1.12.4-lp151.2.3.1
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
- CVE-2018-16875Dec 14, 2018affected < 1.12.4-lp151.2.3.1fixed 1.12.4-lp151.2.3.1
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates
- CVE-2018-16874Dec 14, 2018affected < 1.12.4-lp151.2.3.1fixed 1.12.4-lp151.2.3.1
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but
- CVE-2018-16873Dec 14, 2018affected < 1.12.4-lp151.2.3.1fixed 1.12.4-lp151.2.3.1
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA