rpm package
opensuse/go1.19&distro=openSUSE Leap 15.3
pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.3
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-41717 | — | < 1.19.4-150000.1.18.1 | 1.19.4-150000.1.18.1 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-41720 | — | < 1.19.4-150000.1.18.1 | 1.19.4-150000.1.18.1 | Dec 7, 2022 | On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Op | ||
| CVE-2022-41716 | — | < 1.19.3-150000.1.15.1 | 1.19.3-150000.1.15.1 | Nov 2, 2022 | Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can ex | ||
| CVE-2022-41715 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-2879 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi | ||
| CVE-2022-32190 | — | < 1.19.1-150000.1.9.1 | 1.19.1-150000.1.9.1 | Sep 13, 2022 | JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. | ||
| CVE-2022-27664 | — | < 1.19.1-150000.1.9.1 | 1.19.1-150000.1.9.1 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. |
- CVE-2022-41717Dec 8, 2022affected < 1.19.4-150000.1.18.1fixed 1.19.4-150000.1.18.1
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-41720Dec 7, 2022affected < 1.19.4-150000.1.18.1fixed 1.19.4-150000.1.18.1
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Op
- CVE-2022-41716Nov 2, 2022affected < 1.19.3-150000.1.15.1fixed 1.19.3-150000.1.15.1
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can ex
- CVE-2022-41715Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-2879Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi
- CVE-2022-32190Sep 13, 2022affected < 1.19.1-150000.1.9.1fixed 1.19.1-150000.1.9.1
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
- CVE-2022-27664Sep 6, 2022affected < 1.19.1-150000.1.9.1fixed 1.19.1-150000.1.9.1
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.