rpm package
suse/go1.14&distro=SUSE Linux Enterprise Module for Development Tools 15 SP2
pkg:rpm/suse/go1.14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-3114 | — | < 1.14.14-1.32.1 | 1.14.14-1.32.1 | Jan 26, 2021 | In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. | ||
| CVE-2021-3115 | — | < 1.14.14-1.32.1 | 1.14.14-1.32.1 | Jan 26, 2021 | Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | ||
| CVE-2020-28362 | — | < 1.14.12-1.26.1 | 1.14.12-1.26.1 | Nov 18, 2020 | Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | ||
| CVE-2020-28367 | — | < 1.14.12-1.26.1 | 1.14.12-1.26.1 | Nov 18, 2020 | Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. | ||
| CVE-2020-28366 | — | < 1.14.12-1.26.1 | 1.14.12-1.26.1 | Nov 18, 2020 | Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. | ||
| CVE-2020-24553 | — | < 1.14.9-1.18.1 | 1.14.9-1.18.1 | Sep 2, 2020 | Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. | ||
| CVE-2020-16845 | — | < 1.14.7-1.15.1 | 1.14.7-1.15.1 | Aug 6, 2020 | Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. | ||
| CVE-2020-14039 | — | < 1.14.7-1.15.1 | 1.14.7-1.15.1 | Jul 17, 2020 | In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. | ||
| CVE-2020-15586 | — | < 1.14.7-1.15.1 | 1.14.7-1.15.1 | Jul 17, 2020 | Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. |
- CVE-2021-3114Jan 26, 2021affected < 1.14.14-1.32.1fixed 1.14.14-1.32.1
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
- CVE-2021-3115Jan 26, 2021affected < 1.14.14-1.32.1fixed 1.14.14-1.32.1
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
- CVE-2020-28362Nov 18, 2020affected < 1.14.12-1.26.1fixed 1.14.12-1.26.1
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
- CVE-2020-28367Nov 18, 2020affected < 1.14.12-1.26.1fixed 1.14.12-1.26.1
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
- CVE-2020-28366Nov 18, 2020affected < 1.14.12-1.26.1fixed 1.14.12-1.26.1
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
- CVE-2020-24553Sep 2, 2020affected < 1.14.9-1.18.1fixed 1.14.9-1.18.1
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
- CVE-2020-16845Aug 6, 2020affected < 1.14.7-1.15.1fixed 1.14.7-1.15.1
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
- CVE-2020-14039Jul 17, 2020affected < 1.14.7-1.15.1fixed 1.14.7-1.15.1
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
- CVE-2020-15586Jul 17, 2020affected < 1.14.7-1.15.1fixed 1.14.7-1.15.1
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.