Download
| Alert*
oval:org.secpod.oval:def:704691
golang is installed oval:org.secpod.oval:def:107586 golang is installed oval:org.secpod.oval:def:503390 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: malformed hosts in URLs leads to authorization bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:503516 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling * golang: invalid public key causes panic in dsa.Verify For more details abou ... oval:org.secpod.oval:def:1600802 Arbitrary code execution during go get or go get -d:Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git r ... oval:org.secpod.oval:def:109456 The Go Programming Language. oval:org.secpod.oval:def:109459 The Go Programming Language. oval:org.secpod.oval:def:109560 The Go Programming Language. oval:org.secpod.oval:def:1200073 As discussed upstream -- here and here -- the Go project received notification of an HTTP request smuggling vulnerability in the net/http library. Invalid headers are parsed as valid headers and Double Content-length headers in a request does not generate a 400 error, the second Content-length is i ... oval:org.secpod.oval:def:109559 The Go Programming Language. oval:org.secpod.oval:def:66518 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling * golang: invalid public key causes panic in dsa.Verify For more details abou ... oval:org.secpod.oval:def:66468 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: malformed hosts in URLs leads to authorization bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:204795 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: arbitrary code execution during "go get" or "go get -d" * golang: smtp.PlainAuth susceptible to man-in-the-m ... oval:org.secpod.oval:def:203980 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang . Security Fix: * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable &q ... oval:org.secpod.oval:def:204664 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang . Security Fix: * A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could possibly use this flaw ... oval:org.secpod.oval:def:66573 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash * golang: data race in certain net/http servers including ReverseProxy can lea ... oval:org.secpod.oval:def:111759 The Go Programming Language. oval:org.secpod.oval:def:125228 The Go Programming Language. oval:org.secpod.oval:def:506288 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader * g ... oval:org.secpod.oval:def:125260 The Go Programming Language. oval:org.secpod.oval:def:125694 The Go Programming Language. oval:org.secpod.oval:def:125573 The Go Programming Language. oval:org.secpod.oval:def:126149 The Go Programming Language. oval:org.secpod.oval:def:126143 The Go Programming Language. oval:org.secpod.oval:def:4501222 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: net: lookup functions may return invalid host names * golang: net/http/httputil: Reverse ... oval:org.secpod.oval:def:120765 The Go Programming Language. oval:org.secpod.oval:def:120499 The Go Programming Language. oval:org.secpod.oval:def:120500 The Go Programming Language. oval:org.secpod.oval:def:1601472 A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. A flaw was found in Go, where it attem ... oval:org.secpod.oval:def:120214 The Go Programming Language. oval:org.secpod.oval:def:120391 The Go Programming Language. oval:org.secpod.oval:def:118532 The Go Programming Language. oval:org.secpod.oval:def:117987 The Go Programming Language. oval:org.secpod.oval:def:117302 The Go Programming Language. oval:org.secpod.oval:def:117204 The Go Programming Language. oval:org.secpod.oval:def:116206 The Go Programming Language. oval:org.secpod.oval:def:1601028 An issue was discovered in net/http in Go. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command oval:org.secpod.oval:def:1600981 Go mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service or possibly conduct ECDH private key recovery attacks oval:org.secpod.oval:def:1600963 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, b ... oval:org.secpod.oval:def:113332 The Go Programming Language. oval:org.secpod.oval:def:1600859 Arbitrary code execution during "go get" via C compiler options:An arbitrary command execution flaw was found in the way Go#039;s go get command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to ca ... oval:org.secpod.oval:def:113326 The Go Programming Language. oval:org.secpod.oval:def:113680 The Go Programming Language. oval:org.secpod.oval:def:114158 The Go Programming Language. oval:org.secpod.oval:def:111139 The Go Programming Language. oval:org.secpod.oval:def:111140 The Go Programming Language. oval:org.secpod.oval:def:110433 The Go Programming Language. oval:org.secpod.oval:def:110413 The Go Programming Language. oval:org.secpod.oval:def:110081 The Go Programming Language. oval:org.secpod.oval:def:110023 The Go Programming Language. oval:org.secpod.oval:def:1600145 crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. oval:org.secpod.oval:def:2500504 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:4501372 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:73600 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang , delve . Security Fix: * golang: crypto/elliptic: incorrect operations on the P-224 curve * golang: cmd/go: packa ... oval:org.secpod.oval:def:1504924 delve [1.5.0-2.0.1] - Disable DWARF compression which has issues [1.5.0-2] - Add golang-1.15.4 related patch - Resolves: rhbz#1901189 [1.5.0-1] - Rebase to 1.5.0 - Related: rhbz#1870531 golang [1.15.7-1] - Rebase to 1.15.7 - Resolves: rhbz#1870531 - Resolves: rhbz#1919261 [1.15.5-1] - Rebase to 1.1 ... oval:org.secpod.oval:def:2500470 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:4501390 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang , delve . Security Fix: * golang: crypto/elliptic: incorrect operations on the P-224 curve * golang: cmd/go: packa ... oval:org.secpod.oval:def:2500064 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:1503037 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700404 The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigg ... oval:org.secpod.oval:def:1700298 It was discovered that net/http in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depen ... oval:org.secpod.oval:def:1505313 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114024 The Go Programming Language. oval:org.secpod.oval:def:1700038 Arbitrary code execution during go get or go get -dGo before 1.8.4 and 1.9.x before 1.9.1 allows quot;go getquot; remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repo ... oval:org.secpod.oval:def:114060 The Go Programming Language. oval:org.secpod.oval:def:1600734 Golang: Elliptic curves carry propagation issue in x86-64 P-256. A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could use this flaw to extract private keys when static ECDH is used oval:org.secpod.oval:def:112476 The Go Programming Language. oval:org.secpod.oval:def:112946 The Go Programming Language. oval:org.secpod.oval:def:1501993 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600391 An infinite loop in several big integer routines was discovered that makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client authentication or the Go ssh server libraries are both exposed to this vulnerability. oval:org.secpod.oval:def:1900667 The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service via a crafted public key to a program that uses HTTPS client certificates or SSH s ... oval:org.secpod.oval:def:107585 The Go Programming Language. oval:org.secpod.oval:def:107654 The Go Programming Language. oval:org.secpod.oval:def:126487 The Go Programming Language. oval:org.secpod.oval:def:1700697 A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the ... oval:org.secpod.oval:def:1505057 golang [1.15.14-1] - Rebase to go-1.15.14-1-openssl-fips - Resolves: rhbz#1982287 - Addresses CVE-2021-34558 [1.15.13-4] - Related: rhbz#1978567 go-toolset [1.15.14-1] - Rebase to go-1.15.14-1-openssl-fips - Resolves: rhbz#1982287 - Addresses CVE-2021-34558 [1.15.13-2] - Related: rhbz#1978567 oval:org.secpod.oval:def:2500496 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:4501347 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader * g ... oval:org.secpod.oval:def:4501243 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: net/http: limit growth of header canonicalization cache * golang: syscall: don"t close fd 0 on ForkExec error For more details about the security issue, including the i ... oval:org.secpod.oval:def:1505762 go-toolset [1.16.15-1] - Rebase to Go 1.16.15 golang [1.16.15-1.0.1] - Add patches from 1.16.12 to 1.16.15 - Add Sources for 3 binary files that changed between 1.16.12 and 1.16.15 - Rename base_vrsn to base_version - Reviewed-by: XXX XXX oval:org.secpod.oval:def:1700888 A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. An out of bounds ... oval:org.secpod.oval:def:1505667 delve [1.7.2-1.0.1] - Disable DWARF compression which has issues [1.7.2-1] - Rebase to 1.7.2 - Related: rhbz#2014088 golang [1.17.7-1] - Rebase to Go 1.17.7 - Remove fips memory leak patch - Resolves: rhbz#2015930 go-toolset [1.17.7-1] - Rebase to Go 1.17.7 - Remove fips memory leak patch - Resol ... oval:org.secpod.oval:def:2500789 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:4500895 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: Command-line arguments may overwrite global data * golang: archive/zip: malformed archive may cause panic or memory exhaustion * golang: debug/macho: invalid dynamic s ... oval:org.secpod.oval:def:2500422 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:50990 The Go Programming Language. oval:org.secpod.oval:def:1700145 Go mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service or possibly conduct ECDH private key recovery attacks.Note: This CVE is also fixed in golang-1.11.3-2.amzn2.0.2 in the golang1.11 extras repository. oval:org.secpod.oval:def:115893 The Go Programming Language. oval:org.secpod.oval:def:1600442 An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go"s net/http package, ... oval:org.secpod.oval:def:1501532 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang . Security Fix: * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HT ... oval:org.secpod.oval:def:1900842 The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI appli ... oval:org.secpod.oval:def:126882 The Go Programming Language. oval:org.secpod.oval:def:126891 The Go Programming Language. oval:org.secpod.oval:def:19500317 html/template: improper handling of empty HTML attributes.Templates containing actions in unquoted HTML attributes executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into t ... oval:org.secpod.oval:def:19500239 html/template: improper sanitization of CSS valuesAngle brackets were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected ... oval:org.secpod.oval:def:1505833 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:19500336 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value oval:org.secpod.oval:def:19500353 Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to less than = 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only ... oval:org.secpod.oval:def:125922 The Go Programming Language. oval:org.secpod.oval:def:1506690 golang [1.19.10-1.0.1] - New Go version 1.19.10 [CVE-2023-29402] [CVE-2023-29403] [CVE-2023-29404] [CVE-2023-29405] go-toolset [1.19.10-1.0.1] - New Go version 1.19.10 [CVE-2023-29402] [CVE-2023-29403] [CVE-2023-29404] [CVE-2023-29405] oval:org.secpod.oval:def:1506745 delve [1.9.1-1.0.1] - Disable DWARF compression which has issues [1.9.1-1] - Rebase to 1.9.1 - Related: rhbz#2131026 golang [1.19.10-1.0.1] - New Go version 1.19.10 [CVE-2023-29402] [CVE-2023-29403] [CVE-2023-29404] [CVE-2023-29405] go-toolset [1.19.10-1.0.1] - Update for Go 1.19.10 [CVE-2023-29402 ... oval:org.secpod.oval:def:5800175 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: cmd/go: go command may generate unexpected code at build time when using cgo * golang: cmd/go: go comma ... oval:org.secpod.oval:def:19500415 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in less than script greater than contexts. This may cause the template parser to improperly interpret the contents of less than script greater than contexts, causing actions to be impr ... oval:org.secpod.oval:def:2600130 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:507509 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: regex ... oval:org.secpod.oval:def:1506143 golang [1.17.13-1.0.1] - Update tarball to 1.17.12 - Add patches between Go 1.17.12 and Go 1.17.13 - Reviewed-by: David Faust [1.17.12-1] - Update Go to version 1.17.12 - Resolves: rhbz#2109182 go-toolset [1.17.13-1] - Set version to correspond to the matching build golang version oval:org.secpod.oval:def:124298 The Go Programming Language. oval:org.secpod.oval:def:2500930 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:507474 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProx ... oval:org.secpod.oval:def:1506393 golang [1.18.9-1] - Update to Go 1.18.9 - Add big-endian.patch - Increase GO_TEST_TIMEOUT_SCALE due to a Brew issue - Add do-not-reuse-far-trampolines.patch - Resolves: rhbz#2149313 [1.18.7-2] - Fix version mismatch from previous rebase - Related: rhbz#2136719 [1.18.7-1] - Update to Go 1.18.7 - Reso ... oval:org.secpod.oval:def:1701653 An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice causing a panic when calling ImportedSymbols. An a ... oval:org.secpod.oval:def:5800043 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: compress/gzip: stack exhaustion in Reader.Read * golang: net/http: improper sanitization of Transfer-En ... oval:org.secpod.oval:def:5800042 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProx ... oval:org.secpod.oval:def:1701085 Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. No description is ... oval:org.secpod.oval:def:1505758 go-toolset [1.17.10-1] - Set version to correspond to the matching build golang version - delve can be now added to aarch64 as well, remove ifarch. golang [1.17.10-1.0.1] - Add patches between Go 1.17.7 and Go 1.17.10 - Rename base_versn to base_version - Remove unneeded patches from previous versio ... oval:org.secpod.oval:def:1506228 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2600063 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:1505820 go-toolset [1.18.3-1] - Update to golang 1.18.3 golang [1.18.3-1.0.1] - Rebase to 1.18.3 by adding upstream patches to the 1.18.0 openssl-fips - Modify Patch51852 to remove portions already upstream - Use base_version to distinguish the version of the tarball from the final version - Reviewed-by: Jo ... oval:org.secpod.oval:def:19500124 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory.A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. A val ... oval:org.secpod.oval:def:1701718 The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars . This does not impact usages of crypto/ecdsa or crypto/ecdh. HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. ... oval:org.secpod.oval:def:1506377 golang [1.18.9-1] - Rebase to Go 1.18.9 - Enable big endian support for fips mode - Fix ppc64le linker issue - Resolves: rhbz#2144547 - Resolves: rhbz#2149311 go-toolset [1.18.9-1] - Rebase to Go 1.18.9 - Enable big endian support for fips mode - Fix ppc64le linker issue - Resolves: rhbz#2144547 - R ... oval:org.secpod.oval:def:4501209 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: regex ... oval:org.secpod.oval:def:1701302 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow oval:org.secpod.oval:def:507776 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: html/template: improper handling of JavaScript whitespace For more details about the security issue, in ... oval:org.secpod.oval:def:507775 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: html/template: improper handling of JavaScript whitespace For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:1506579 delve [1.9.1-1.0.1] - Disable DWARF compression which has issues [1.9.1-1] - Rebase to 1.9.1 - Related: rhbz#2131026 golang [1.19.9-1] - Rebase to Go 1.19.9 - Resolves: rhbz#2204473 go-toolset [1.19.9-1] - Rebase to Go 1.19.9 - Resolves: rhbz#2204473 oval:org.secpod.oval:def:1506588 golang [1.19.9-2] - Fix TestEncryptOAEP and TLS failures in FIPS mode - Resolves: rhbz#2204476 [1.19.9-1] - Rebase to Go 1.19.9 - Resolves: rhbz#2204476 go-toolset [1.19.9-1] - Update to Go 1.19.9 - Related: rhbz#2204476 oval:org.secpod.oval:def:4501428 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: html/template: improper handling of JavaScript whitespace For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:19500435 Line directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file ... oval:org.secpod.oval:def:93999 An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93992 An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:1701836 Line directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file ... oval:org.secpod.oval:def:1507371 [1.20.12-1] - Rebase to 1.20.12 - Fix CVE-2023-45285 CVE-2023-39326 oval:org.secpod.oval:def:19500549 A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data when a handler ... oval:org.secpod.oval:def:1702024 A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data when a handler ... oval:org.secpod.oval:def:509107 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: golang: net/http/internal: Denial of Service via Resource Consumption via HTTP requests golang: cmd/go: Protocol Fallback when fetching modules For more details about the securi ... oval:org.secpod.oval:def:509110 The golang packages provide the Go programming language compiler. Security Fix: golang: net/http/internal: Denial of Service via Resource Consumption via HTTP requests golang: cmd/go: Protocol Fallback when fetching modules For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:2600515 The golang packages provide the Go programming language compiler. oval:org.secpod.oval:def:507749 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: crypto/tls: large handshake records may cause panics * golang: net/http, mime/multipart: denial of service from excessive resource consumption For more details about th ... oval:org.secpod.oval:def:4501420 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: crypto/tls: large handshake records may cause panics * golang: net/http, mime/multipart: denial of service from excessive resource consumption For more details about th ... oval:org.secpod.oval:def:1506590 delve [1.9.1-1.0.1] - Disable DWARF compression which has issues [1.9.1-1] - Rebase to 1.9.1 - Related: rhbz#2131026 golang [1.19.6-1] - Rebase to Go 1.19.6 - Resolves: rhbz#2174430 [1.19.4-2] - Fix memory leaks in EVP_{sign,verify}_raw - Resolves: rhbz#2132767 go-toolset [1.19.6-1] - Rebase to Go ... oval:org.secpod.oval:def:19500197 http2/hpack: avoid quadratic complexity in hpack decoding oval:org.secpod.oval:def:1701280 Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query ... oval:org.secpod.oval:def:1700203 Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory ... oval:org.secpod.oval:def:117048 The Go Programming Language. oval:org.secpod.oval:def:117049 The Go Programming Language. oval:org.secpod.oval:def:1507402 [1.20.12-2] - Fix CVE-2024-1394 - Resolves: RHEL-27189 oval:org.secpod.oval:def:1507405 delve [1.20.2-1.0.1] - Disable DWARF compression which has issues [1.20.2-1] - Rebase to 1.20.2 - Resolves: rhbz#2186495 golang [1.20.12-3] - Fix CVE-2024-1394 - Resolves: RHEL-27928 [1.20.12-2] - Fix sources file - Related: RHEL-19231 go-toolset oval:org.secpod.oval:def:509304 The golang packages provide the Go programming language compiler. Security Fix: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads golang: net/ http: memory exhaustion in Request.ParseMultipartForm golang: net/http/cookiejar: incorrect forwarding of sensitive headers ... oval:org.secpod.oval:def:2600604 The golang packages provide the Go programming language compiler. oval:org.secpod.oval:def:19500061 Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access contr ... oval:org.secpod.oval:def:1701150 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate ap ... |