Mageia 2022-0356: golang security update | LinuxSecurity.com

What Are You Looking For?

Popular Tags

Contribute
MGASA-2022-0356 - Updated golang packages fix security vulnerability

Publication date: 05 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0356.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-27664,
     CVE-2022-32190

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can
cause a denial of service because an HTTP/2 connection can hang during
closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

JoinPath and URL.JoinPath do not remove ../ path elements appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returns
the URL "https://go.dev/../go", despite the JoinPath documentation
stating that ../ path elements are removed from the result.
(CVE-2022-32190)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30835
- https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/
- https://lists.opensuse.org/archives/list/[email protected]/thread/45CM4RE6QKP7LNNZK47362IEHI6U3EGX/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32190

SRPMS:
- 8/core/golang-1.18.6-1.mga8

Mageia 2022-0356: golang security update

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by...

Summary

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

References

- https://bugs.mageia.org/show_bug.cgi?id=30835

- https://groups.google.com/g/golang-announce/c/x49AQzIVX-s

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/

- https://lists.opensuse.org/archives/list/[email protected]/thread/45CM4RE6QKP7LNNZK47362IEHI6U3EGX/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32190

Resolution

MGASA-2022-0356 - Updated golang packages fix security vulnerability

SRPMS

- 8/core/golang-1.18.6-1.mga8

Severity
Publication date: 05 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0356.html
Type: security
CVE: CVE-2022-27664, CVE-2022-32190

Related News

EmojiDeploy Attack Chain Targets Misconfigured Azure Service

An IBM Hacker Breaks Down High-Profile Attacks

Vanilla OS Offers a New Take on Security for the Linux Desktop

Microsoft Defender Protects Mac and Linux from Malicious Websites

News

Advisories

HOWTOs

Features

Verifying Linux Server Security: What Every Admin Needs to Know
What Linux, Windows & Mac OS Users Need to Know About VPNs
Complete Guide to Vulnerability Basics
How To Get Live Updates on Critical Linux Security Advisories
Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy