Debian Security Advisory
DLA-3395-1 golang-1.11 -- LTS security update
- Date Reported:
- 19 Apr 2023
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 989492, Bug 991961.
In Mitre's CVE dictionary: CVE-2020-28367, CVE-2021-33196, CVE-2021-36221, CVE-2021-38297, CVE-2021-39293, CVE-2021-41771, CVE-2021-44716, CVE-2021-44717, CVE-2022-23806, CVE-2022-24921.
- More information:
Multiple vulnerabilities were discovered in the Go programming language. An attacker could trigger a denial-of-service (DoS), invalid cryptographic computation, information leak, or arbitrary code execution on the developer's computer in specific situations.
Code injection in the go command with cgo allows arbitrary code execution at build time via malicious gcc flags specified via a
In archive/zip, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
Go has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
Go has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
This issue exists because of an incomplete fix for CVE-2021-33196.
ImportedSymbols in debug/macho (for Open or OpenFat) Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
net/http allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Go on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
Curve.IsOnCurve in crypto/elliptic can incorrectly return true in situations with a big.Int value that is not a valid field element.
regexp.Compile allows stack exhaustion via a deeply nested expression.
For Debian 10 buster, these problems have been fixed in version 1.11.6-1+deb10u6.
We recommend that you upgrade your golang-1.11 packages.
For the detailed security status of golang-1.11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-1.11
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS