{ "schema_version": "1.7.0", "id": "MGASA-2022-0262", "published": "2022-07-16T19:58:20Z", "modified": "2022-07-16T19:10:07Z", "summary": "Updated golang packages fix security vulnerability", "details": "net/http: improper sanitization of Transfer-Encoding header\nThe HTTP/1 client accepted some invalid Transfer-Encoding headers as\nindicating a \"chunked\" encoding. This could potentially allow for request\nsmuggling, but only if combined with an intermediate server that also\nimproperly failed to reject the header as invalid. (CVE-2022-1705)\n\nWhen httputil.ReverseProxy.ServeHTTP was called with a Request.Header map\ncontaining a nil value for the X-Forwarded-For header, ReverseProxy would\nset the client IP as the value of the X-Forwarded-For header, contrary to\nits documentation. In the more usual case where a Director function set\nthe X-Forwarded-For header value to nil, ReverseProxy would leave the\nheader unmodified as expected. (CVE-2022-32148)\n\ncompress/gzip: stack exhaustion in Reader.Read\nCalling Reader.Read on an archive containing a large number of\nconcatenated 0-length compressed files can cause a panic due to stack\nexhaustion. (CVE-2022-30631)\n\nencoding/xml: stack exhaustion in Unmarshal\nCalling Unmarshal on a XML document into a Go struct which has a nested\nfield that uses the any field tag can cause a panic due to stack\nexhaustion. (CVE-2022-30633)\n\nencoding/xml: stack exhaustion in Decoder.Skip\nCalling Decoder.Skip when parsing a deeply nested XML document can cause a\npanic due to stack exhaustion. (CVE-2022-28131)\n\nencoding/gob: stack exhaustion in Decoder.Decode\nCalling Decoder.Decode on a message which contains deeply nested\nstructures can cause a panic due to stack exhaustion. (CVE-2022-30635)\n\npath/filepath: stack exhaustion in Glob\nCalling Glob on a path which contains a large number of path separators\ncan cause a panic due to stack exhaustion. (CVE-2022-30632)\n\nio/fs: stack exhaustion in Glob\nCalling Glob on a path which contains a large number of path separators\ncan cause a panic due to stack exhaustion. (CVE-2022-30630)\n\ngo/parser: stack exhaustion in all Parse* functions\nCalling any of the Parse functions on Go source code which contains deeply\nnested types or declarations can cause a panic due to stack exhaustion.\n(CVE-2022-1962)\n", "upstream": [ "CVE-2022-1705", "CVE-2022-32148", "CVE-2022-30631", "CVE-2022-30633", "CVE-2022-28131", "CVE-2022-30635", "CVE-2022-30632", "CVE-2022-30630", "CVE-2022-1962" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2022-0262.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=30639" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUFBL2GZMN756YELNBCPJO3MTCGYXSYH/" }, { "type": "WEB", "url": "https://go.dev/issue/53188" }, { "type": "WEB", "url": "https://go.dev/issue/53423" }, { "type": "WEB", "url": "https://go.dev/issue/53168" }, { "type": "WEB", "url": "https://go.dev/issue/53611" }, { "type": "WEB", "url": "https://go.dev/issue/53614" }, { "type": "WEB", "url": "https://go.dev/issue/53416" }, { "type": "WEB", "url": "https://go.dev/issue/53415" }, { "type": "WEB", "url": "https://go.dev/issue/53616" } ], "affected": [ { "package": { "ecosystem": "Mageia:8", "name": "golang", "purl": "pkg:rpm/mageia/golang?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.17.12-1.mga8" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }