rpm package
opensuse/go1.20&distro=openSUSE Leap 15.4
pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.4
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-45285 | — | < 1.20.12-150000.1.35.1 | 1.20.12-150000.1.35.1 | Dec 6, 2023 | Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not | ||
| CVE-2023-39326 | — | < 1.20.12-150000.1.35.1 | 1.20.12-150000.1.35.1 | Dec 6, 2023 | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d | ||
| CVE-2023-45284 | — | < 1.20.11-150000.1.32.1 | 1.20.11-150000.1.32.1 | Nov 9, 2023 | On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr | ||
| CVE-2023-45283 | — | < 1.20.11-150000.1.32.1 | 1.20.11-150000.1.32.1 | Nov 9, 2023 | The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, | ||
| CVE-2023-39325 | — | < 1.20.10-150000.1.29.1 | 1.20.10-150000.1.29.1 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.20.10-150000.1.29.1 | 1.20.10-150000.1.29.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-39323 | — | < 1.20.9-150000.1.26.1 | 1.20.9-150000.1.26.1 | Oct 5, 2023 | Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires | ||
| CVE-2023-39319 | — | < 1.20.8-150000.1.23.1 | 1.20.8-150000.1.23.1 | Sep 8, 2023 | The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be | ||
| CVE-2023-39318 | — | < 1.20.8-150000.1.23.1 | 1.20.8-150000.1.23.1 | Sep 8, 2023 | The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may | ||
| CVE-2023-29409 | — | < 1.20.7-150000.1.20.1 | 1.20.7-150000.1.20.1 | Aug 2, 2023 | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr | ||
| CVE-2023-29406 | — | < 1.20.6-150000.1.17.1 | 1.20.6-150000.1.17.1 | Jul 11, 2023 | The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. | ||
| CVE-2023-29405 | — | < 1.20.5-150000.1.14.1 | 1.20.5-150000.1.14.1 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F | ||
| CVE-2023-29404 | — | < 1.20.5-150000.1.14.1 | 1.20.5-150000.1.14.1 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T | ||
| CVE-2023-29403 | — | < 1.20.5-150000.1.14.1 | 1.20.5-150000.1.14.1 | Jun 8, 2023 | On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is execute | ||
| CVE-2023-29402 | — | < 1.20.5-150000.1.14.1 | 1.20.5-150000.1.14.1 | Jun 8, 2023 | The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules wh | ||
| CVE-2023-24539 | — | < 1.20.4-150000.1.11.1 | 1.20.4-150000.1.11.1 | May 11, 2023 | Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untru | ||
| CVE-2023-24540 | — | < 1.20.4-150000.1.11.1 | 1.20.4-150000.1.11.1 | May 11, 2023 | Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. | ||
| CVE-2023-29400 | — | < 1.20.4-150000.1.11.1 | 1.20.4-150000.1.11.1 | May 11, 2023 | Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. | ||
| CVE-2023-24537 | — | < 1.20.3-150000.1.8.1 | 1.20.3-150000.1.8.1 | Apr 6, 2023 | Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. | ||
| CVE-2023-24538 | — | < 1.20.3-150000.1.8.1 | 1.20.3-150000.1.8.1 | Apr 6, 2023 | Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the act |
- CVE-2023-45285Dec 6, 2023affected < 1.20.12-150000.1.35.1fixed 1.20.12-150000.1.35.1
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not
- CVE-2023-39326Dec 6, 2023affected < 1.20.12-150000.1.35.1fixed 1.20.12-150000.1.35.1
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d
- CVE-2023-45284Nov 9, 2023affected < 1.20.11-150000.1.32.1fixed 1.20.11-150000.1.32.1
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
- CVE-2023-45283Nov 9, 2023affected < 1.20.11-150000.1.32.1fixed 1.20.11-150000.1.32.1
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
- CVE-2023-39325Oct 11, 2023affected < 1.20.10-150000.1.29.1fixed 1.20.10-150000.1.29.1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.20.10-150000.1.29.1fixed 1.20.10-150000.1.29.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-39323Oct 5, 2023affected < 1.20.9-150000.1.26.1fixed 1.20.9-150000.1.26.1
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires
- CVE-2023-39319Sep 8, 2023affected < 1.20.8-150000.1.23.1fixed 1.20.8-150000.1.23.1
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be
- CVE-2023-39318Sep 8, 2023affected < 1.20.8-150000.1.23.1fixed 1.20.8-150000.1.23.1
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may
- CVE-2023-29409Aug 2, 2023affected < 1.20.7-150000.1.20.1fixed 1.20.7-150000.1.20.1
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr
- CVE-2023-29406Jul 11, 2023affected < 1.20.6-150000.1.17.1fixed 1.20.6-150000.1.17.1
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
- CVE-2023-29405Jun 8, 2023affected < 1.20.5-150000.1.14.1fixed 1.20.5-150000.1.14.1
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F
- CVE-2023-29404Jun 8, 2023affected < 1.20.5-150000.1.14.1fixed 1.20.5-150000.1.14.1
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T
- CVE-2023-29403Jun 8, 2023affected < 1.20.5-150000.1.14.1fixed 1.20.5-150000.1.14.1
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is execute
- CVE-2023-29402Jun 8, 2023affected < 1.20.5-150000.1.14.1fixed 1.20.5-150000.1.14.1
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules wh
- CVE-2023-24539May 11, 2023affected < 1.20.4-150000.1.11.1fixed 1.20.4-150000.1.11.1
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untru
- CVE-2023-24540May 11, 2023affected < 1.20.4-150000.1.11.1fixed 1.20.4-150000.1.11.1
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
- CVE-2023-29400May 11, 2023affected < 1.20.4-150000.1.11.1fixed 1.20.4-150000.1.11.1
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
- CVE-2023-24537Apr 6, 2023affected < 1.20.3-150000.1.8.1fixed 1.20.3-150000.1.8.1
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
- CVE-2023-24538Apr 6, 2023affected < 1.20.3-150000.1.8.1fixed 1.20.3-150000.1.8.1
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the act
Page 1 of 2