Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 754
Alerts This Week
Warning Icon 1 754

Ubuntu 23.10 USN-6574-1 Critical: Go Code Injection and DoS Threats

ubuntu
Calendar Grey January 11, 2024
Dist Ubuntu Esm H88
Multiple Ubuntu variants have released critical updates addressing Go-related security flaws. Ensure you update now for enhanced protection.
Several security issues were fixed in Go.

Summary

Several security issues were fixed in Go.

Software Description:

- golang-1.20: Go programming language compiler

- golang-1.21: Go programming language compiler

Details:

Takeshi Kaneko discovered that Go did not properly handle comments and

special tags in the script context of html/template module. An attacker

could possibly use this issue to inject Javascript code and perform a cross

site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,

Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)

It was discovered that Go did not properly validate the "//go:cgo_"

directives during compilation. An attacker could possibly use this issue to

inject arbitrary code during compile time. (CVE-2023-39323)

It was discovered that Go did not limit the number of simultaneously

executing handler goroutines in the net/http module. An attacker could

possibly use this issue to cause a panic resulting into a denial of service.

(CVE-2023-39325, CVE-2023-44487)

It ...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  golang-1.20                     1.20.8-1ubuntu0.23.10.1
  golang-1.20-go                  1.20.8-1ubuntu0.23.10.1
  golang-1.20-src                 1.20.8-1ubuntu0.23.10.1
  golang-1.21                     1.21.1-1ubuntu0.23.10.1
  golang-1.21-go                  1.21.1-1ubuntu0.23.10.1
  golang-1.21-src                 1.21.1-1ubuntu0.23.10.1

Ubuntu 23.04:
  golang-1.20                     1.20.3-1ubuntu0.2
  golang-1.20-go                  1.20.3-1ubuntu0.2
  golang-1.20-src                 1.20.3-1ubuntu0.2
  golang-1.21                     1.21.1-1~ubuntu23.04.2
  golang-1.21-go                  1.21.1-1~ubuntu23.04.2
  golang-1.21-src                 1.21.1-1~ubuntu23.04.2

Ubuntu 22.04 LTS:
  golang-1.20                     1.20.3-1ubuntu0.1~22.04.1
  golang-1.20-go                  1.20.3-1ubuntu0.1~22.04.1
  golang-1.20-src                 1.20.3-1ubuntu0.1~22.04.1
  golang-1.21                     1.21.1-1~ubuntu22.04.2
  golang-1.21-go                  1.21.1-1~ubuntu22.04.2
  golang-1.21-src                 1.21.1-1~ubuntu22.04.2

Ubuntu 20.04 LTS:
  golang-1.20                     1.20.3-1ubuntu0.1~20.04.1
  golang-1.20-go                  1.20.3-1ubuntu0.1~20.04.1
  golang-1.20-src                 1.20.3-1ubuntu0.1~20.04.1
  golang-1.21                     1.21.1-1~ubuntu20.04.2
  golang-1.21-go                  1.21.1-1~ubuntu20.04.2
  golang-1.21-src                 1.21.1-1~ubuntu20.04.2

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6574-1

CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39325,

CVE-2023-39326, CVE-2023-44487, CVE-2023-45285

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-6574-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.