From f79183e0bf3ed2ed8a955f7d5391c12735822560 Mon Sep 17 00:00:00 2001 From: Dmitri Goutnik Date: Wed, 7 Sep 2022 07:33:41 -0500 Subject: security/vuxml: Document Go vulnerabilities --- security/vuxml/vuln-2022.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 5b8bcc218a5f..93c0613e9eca 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,44 @@ + + go -- multiple vulnerabilities + + + go118 + 1.18.6 + + + go119 + 1.19.1 + + + + +

The Go project reports:

+
net/http: handle server errors after sending GOAWAY
+
A closing HTTP/2 server connection could hang forever + waiting for a clean shutdown that was preempted by a + subsequent fatal error. This failure mode could be + exploited to cause a denial of service.
+

+
net/url: JoinPath does not strip relative path components + in all circumstances
+
JoinPath and URL.JoinPath would not remove ../ path + components appended to a relative path.
+

+ + + + CVE-2022-27664 + CVE-2022-32190 + https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ + + + 2022-09-06 + 2022-09-07 + + + chromium -- insufficient data validation in Mojo -- cgit v1.2.3