Date: Tue, 7 Jun 2022 12:37:35 GMT From: Dmitri Goutnik <dmgk@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: f35fdab00d95 - main - security/vuxml: Document Go vulnerabilities Message-ID: <202206071237.257CbZ4d071315@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=f35fdab00d959816a98d417e04f815ff9b30acc0 commit f35fdab00d959816a98d417e04f815ff9b30acc0 Author: Dmitri Goutnik <dmgk@FreeBSD.org> AuthorDate: 2022-06-07 12:33:03 +0000 Commit: Dmitri Goutnik <dmgk@FreeBSD.org> CommitDate: 2022-06-07 12:36:39 +0000 security/vuxml: Document Go vulnerabilities --- security/vuxml/vuln-2022.xml | 65 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index a69336426891..a50b1a98a85d 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,64 @@ + <vuln vid="15888c7e-e659-11ec-b7fe-10c37b4ac2ea"> + <topic>go -- multiple vulnerabilities</topic> + <affects> + <package> + <name>go118</name> + <range><lt>1.18.3</lt></range> + </package> + <package> + <name>go117</name> + <range><lt>1.17.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Go project reports:</p> + <blockquote cite="https://go.dev/issue/52561"> + <p>crypto/rand: rand.Read hangs with extremely large buffers</p> + <p>On Windows, rand.Read will hang indefinitely if passed a + buffer larger than 1 << 32 - 1 bytes.</p> + </blockquote> + <blockquote cite="https://go.dev/issue/52814"> + <p>crypto/tls: session tickets lack random ticket_age_add</p> + <p>Session tickets generated by crypto/tls did not contain + a randomly generated ticket_age_add. This allows an + attacker that can observe TLS handshakes to correlate + successive connections by comparing ticket ages during + session resumption.</p> + </blockquote> + <blockquote cite="https://go.dev/issue/52574"> + <p>os/exec: empty Cmd.Path can result in running unintended + binary on Windows</p> + <p>If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or + cmd.CombinedOutput are executed when Cmd.Path is unset + and, in the working directory, there are binaries named + either "..com" or "..exe", they will be executed.</p> + </blockquote> + <blockquote cite="https://go.dev/issue/52476"> + <p>path/filepath: Clean(`.\c:`) returns `c:` on Windows</p> + <p>On Windows, the filepath.Clean function could convert an + invalid path to a valid, absolute path. For example, + Clean(`.\c:`) returned `c:`.</p> + </blockquote> + </body> + </description> + <references> + <url>https://groups.google.com/g/golang-dev/c/DidEMYAH_n0</url> + <cvename>CVE-2022-30634</cvename> + <url>https://go.dev/issue/52561</url> + <cvename>CVE-2022-30629</cvename> + <url>https://go.dev/issue/52814</url> + <cvename>CVE-2022-30580</cvename> + <url>https://go.dev/issue/52574</url> + <cvename>CVE-2022-29804</cvename> + <url>https://go.dev/issue/52476</url> + </references> + <dates> + <discovery>2022-06-01</discovery> + <entry>2022-06-07</entry> + </dates> + </vuln> + <vuln vid="a58f3fde-e4e0-11ec-8340-2d623369b8b5"> <topic>e2fsprogs -- out-of-bounds read/write vulnerability</topic> <affects> @@ -331,7 +392,7 @@ </package> <package> <name>go117</name> - <range><lt>1.17.10,1</lt></range> + <range><lt>1.17.10</lt></range> </package> </affects> <description> @@ -682,7 +743,7 @@ </package> <package> <name>go117</name> - <range><lt>1.17.9,1</lt></range> + <range><lt>1.17.9</lt></range> </package> </affects> <description>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206071237.257CbZ4d071315>