rpm package
suse/go1.19&distro=SUSE Linux Enterprise Module for Development Tools 15 SP4
pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-41716 | — | < 1.19.3-150000.1.15.1 | 1.19.3-150000.1.15.1 | Nov 2, 2022 | Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can ex | ||
| CVE-2022-41715 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-2879 | — | < 1.19.2-150000.1.12.1 | 1.19.2-150000.1.12.1 | Oct 14, 2022 | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi | ||
| CVE-2022-32190 | — | < 1.19.1-150000.1.9.1 | 1.19.1-150000.1.9.1 | Sep 13, 2022 | JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. | ||
| CVE-2022-27664 | — | < 1.19.1-150000.1.9.1 | 1.19.1-150000.1.9.1 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. |
- CVE-2022-41716Nov 2, 2022affected < 1.19.3-150000.1.15.1fixed 1.19.3-150000.1.15.1
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can ex
- CVE-2022-41715Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-2879Oct 14, 2022affected < 1.19.2-150000.1.12.1fixed 1.19.2-150000.1.12.1
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi
- CVE-2022-32190Sep 13, 2022affected < 1.19.1-150000.1.9.1fixed 1.19.1-150000.1.9.1
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
- CVE-2022-27664Sep 6, 2022affected < 1.19.1-150000.1.9.1fixed 1.19.1-150000.1.9.1
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Page 2 of 2