rpm package

suse/go1.16&distro=SUSE Linux Enterprise Module for Development Tools 15 SP2

pkg:rpm/suse/go1.16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2

Vulnerabilities (15)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-39293	—	< 1.16.8-1.26.1	1.16.8-1.26.1	Jan 24, 2022	In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CVE-2021-44717	—	< 1.16.12-1.37.2	1.16.12-1.37.2	Jan 1, 2022	Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
CVE-2021-44716	—	< 1.16.12-1.37.2	1.16.12-1.37.2	Jan 1, 2022	net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-41772	—	< 1.16.10-1.32.1	1.16.10-1.32.1	Nov 8, 2021	Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
CVE-2021-41771	—	< 1.16.10-1.32.1	1.16.10-1.32.1	Nov 8, 2021	ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVE-2021-38297	—	< 1.16.9-1.29.1	1.16.9-1.29.1	Oct 18, 2021	Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
CVE-2021-36221	—	< 1.16.7-1.23.1	1.16.7-1.23.1	Aug 8, 2021	Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
CVE-2021-33198	—	< 1.16.5-1.17.1	1.16.5-1.17.1	Aug 2, 2021	In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-33197	—	< 1.16.5-1.17.1	1.16.5-1.17.1	Aug 2, 2021	In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33195	—	< 1.16.5-1.17.1	1.16.5-1.17.1	Aug 2, 2021	Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33196	—	< 1.16.5-1.17.1	1.16.5-1.17.1	Aug 2, 2021	In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-34558	—	< 1.16.6-1.20.1	1.16.6-1.20.1	Jul 15, 2021	The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-31525	—	< 1.16.4-1.14.2	1.16.4-1.14.2	May 27, 2021	net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-27919	—	< 1.16.2-1.8.1	1.16.2-1.8.1	Mar 11, 2021	archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
CVE-2021-27918	—	< 1.16.2-1.8.1	1.16.2-1.8.1	Mar 10, 2021	encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

CVE-2021-39293Jan 24, 2022
affected < 1.16.8-1.26.1fixed 1.16.8-1.26.1
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CVE-2021-44717Jan 1, 2022
affected < 1.16.12-1.37.2fixed 1.16.12-1.37.2
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
CVE-2021-44716Jan 1, 2022
affected < 1.16.12-1.37.2fixed 1.16.12-1.37.2
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-41772Nov 8, 2021
affected < 1.16.10-1.32.1fixed 1.16.10-1.32.1
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
CVE-2021-41771Nov 8, 2021
affected < 1.16.10-1.32.1fixed 1.16.10-1.32.1
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVE-2021-38297Oct 18, 2021
affected < 1.16.9-1.29.1fixed 1.16.9-1.29.1
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
CVE-2021-36221Aug 8, 2021
affected < 1.16.7-1.23.1fixed 1.16.7-1.23.1
Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
CVE-2021-33198Aug 2, 2021
affected < 1.16.5-1.17.1fixed 1.16.5-1.17.1
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-33197Aug 2, 2021
affected < 1.16.5-1.17.1fixed 1.16.5-1.17.1
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33195Aug 2, 2021
affected < 1.16.5-1.17.1fixed 1.16.5-1.17.1
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33196Aug 2, 2021
affected < 1.16.5-1.17.1fixed 1.16.5-1.17.1
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-34558Jul 15, 2021
affected < 1.16.6-1.20.1fixed 1.16.6-1.20.1
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-31525May 27, 2021
affected < 1.16.4-1.14.2fixed 1.16.4-1.14.2
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-27919Mar 11, 2021
affected < 1.16.2-1.8.1fixed 1.16.2-1.8.1
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
CVE-2021-27918Mar 10, 2021
affected < 1.16.2-1.8.1fixed 1.16.2-1.8.1
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.