Download
| Alert*
oval:org.secpod.oval:def:605133
golang-1.11 is installed oval:org.secpod.oval:def:705219 golang-1.11 is installed oval:org.secpod.oval:def:2004050 Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. oval:org.secpod.oval:def:69866 Multiple security issues were discovered in the implementation of the Go programming language, which could result in denial of service and the P-224 curve implementation could generate incorrect outputs. oval:org.secpod.oval:def:2004051 Go before 1.12.16 and 1.13.x before 1.13.7 allows attacks on clients via a malformed X.509 certificate. oval:org.secpod.oval:def:2004943 Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. oval:org.secpod.oval:def:69771 Daniel Mandragona discovered that invalid DSA public keys can cause a panic in dsa.Verify, resulting in denial of service. oval:org.secpod.oval:def:604546 It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups. oval:org.secpod.oval:def:69762 It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups. oval:org.secpod.oval:def:2004942 net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an attack ... oval:org.secpod.oval:def:2004941 An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. oval:org.secpod.oval:def:69743 Three vulnerabilities have been discovered in the Go programming language; net/url accepted some invalid hosts in URLs which could result in authorisation bypass in some applications and the HTTP/2 implementation was susceptible to denial of service. |