Advisories ยป MGASA-2022-0356

Updated golang packages fix security vulnerability

Publication date: 05 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-27664 , CVE-2022-32190


In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can
cause a denial of service because an HTTP/2 connection can hang during
closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

JoinPath and URL.JoinPath do not remove ../ path elements appended to a
relative path. For example, JoinPath("", "../go") returns
the URL "", despite the JoinPath documentation
stating that ../ path elements are removed from the result.