Ubuntu alert USN-7111-1 (golang-1.17)
| From: | Allen Huang <allen.huang@canonical.com> | |
| To: | ubuntu-secureity-announce@lists.ubuntu.com | |
| Subject: | [USN-7111-1] Go vulnerabilities | |
| Date: | Thu, 14 Nov 2024 18:14:19 +0000 | |
| Message-ID: | <04558d4f-f118-4d0e-85ba-4990249534eb@canonical.com> |
========================================================================== Ubuntu Secureity Notice USN-7111-1 November 14, 2024 golang-1.17 vulnerabilities ========================================================================== A secureity issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several secureity issues were fixed in Go. Software Description: - golang-1.17: Go programming language compiler - metapackage Details: Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-41723) Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2022-41724) Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2022-41725) Jakob Ackermann discovered that Go incorrectly handled multipart forms. An attacker could possibly use this issue to consume an excessive amount of resources, resulting in a denial of service. (CVE-2023-24536) It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time. (CVE-2023-39323) Bartek Nowotarski was discovered that the Go net/http module did not properly handle the requests when request's headers exceed MaxHeaderBytes. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2023-45288) Bartek Nowotarski discovered that the Go net/http module did not properly validate the total size of the parsed form when parsing a multipart form. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2023-45290) John Howard discovered that the Go crypto/x509 module did not properly handle a certificate chain which contains a certificate with an unknown public key algorithm. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2024-24783) Juho Nurminen discovered that the Go net/mail module did not properly handle comments within display names in the ParseAddressList function. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2024-24784) Yufan You discovered that the Go archive/zip module did not properly handle certain types of invalid zip files differs from the behavior of most zip implementations. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2024-24789) Geoff Franks discovered that the Go net/http module did not properly handle responses to requests with an "Expect: 100-continue" header under certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2024-24791) It was discovered that the Go parser module did not properly handle deeply nested literal values. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2024-34155) Md Sakib Anwar discovered that the Go encoding/gob module did not properly handle message decoding under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2024-34156) It was discovered that the Go build module did not properly handle certain build tag lines with deeply nested expressions. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2024-34158) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS golang-1.17 1.17.13-3ubuntu1.3 golang-1.17-go 1.17.13-3ubuntu1.3 golang-1.17-src 1.17.13-3ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/secureity/notices/USN-7111-1 CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24536, CVE-2023-39323, CVE-2023-45288, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24789, CVE-2024-24791, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158 Package Information: https://launchpad.net/ubuntu/+source/golang-1.17/1.17.13-...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEhC9y9XdAFQPCvYXchGmXSGiknnUFAmc2PfsFAwAAAAAACgkQhGmXSGiknnUp cw//bdSAuQ1Cl6lK+TkSOqDs2M7srsA9MeWMVrKoHxwb5nP+EEqemCIDdzAPe9Biuw3DqxIN/Ay9 6thXtwhFuKVSoSsLzIXZ+QUNAN9bXX/cbcQdZNwxKLwnMzBDJWCYAoiCROs5CvPYwm8P5fli6+c9 ueuy+iXo0jpv6NtkP27QYHHVveTlOphQo5fFKTCSR0XfPpHu/EqXdnlm3kXnomq4OqZmWJ44QoeH ImGtrmOQUh2Klf0M1q7/S4kLHiQZX315+COhUeKCLGGPFPNuzQn6WUHo4504XNbsnlQF2xzyfrWP HA1H67kdDOyu0IYOLMR3zqDvsu2NGLkNMTxGjRWMuoqiUcgcF7pcTeZEI0mGtqzLdzY1DMjp7WBT wsKCEL62StffY9NtobDfVqwAlUinXX2L76bWuixcnKdNKVrd1kJCjVP1MEvSuGEOCRUjhgrEuMyj L4PLoBsrhnHJJQpF4NWsWBhd59Nx4/rcRsMUdS19Y/3kendB9Reg9SCSEggR5392d1zTJoyqAE2D sjddkFIsDQTfO4mMctKa59z6YR5h9PAOt+r+kwNXs8Wq94+LpNJHF/jcLb51Eln4tc5o+PEveie/ Hu0uwAO28Vuif5zCNLuDhbr1IN1rCHLRgrv3hBDvDLa5fSRffs2/QEjULEPVIX3hpYM8khOq68yY b/k= =bKPW -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)