Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 8: 2022-0356 Moderate: Golang DoS and Path Handling Issues

mageia
Calendar Grey October 5, 2022
Dist Mageia Esm H88
Revised Go modules tackle security vulnerabilities related to denial of service and resource path management in Mageia 8 identified in MGASA-2022-0356.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by...

Summary

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "", despite the JoinPath documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

References

- https://bugs.mageia.org/show_bug.cgi?id=30835

- https://groups.google.com/g/golang-announce/c/x49AQzIVX-s

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/

-

- https://www.cve.org/CVERecord?id=CVE-2022-27664

- https://www.cve.org/CVERecord?id=CVE-2022-32190

Topics%20covered

Topics Covered

security advisory denial of service path handling mageia golang issues

Resolution

SRPMS

- 8/core/golang-1.18.6-1.mga8

Publication date: 05 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0356.html
Type: security
CVE: CVE-2022-27664, CVE-2022-32190

Topics%20covered

Topics Covered

security advisory denial of service path handling mageia golang issues

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here