From owner-dev-commits-ports-main@freebsd.org Thu Jun 3 23:17:41 2021 Return-Path: Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5C999642C80; Thu, 3 Jun 2021 23:17:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fx1yY1zhGz3CjY; Thu, 3 Jun 2021 23:17:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2C5BD127C4; Thu, 3 Jun 2021 23:17:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 153NHfL2000526; Thu, 3 Jun 2021 23:17:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 153NHfVw000525; Thu, 3 Jun 2021 23:17:41 GMT (envelope-from git) Date: Thu, 3 Jun 2021 23:17:41 GMT Message-Id: <202106032317.153NHfVw000525@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dmitri Goutnik Subject: git: 597614c7aa35 - main - security/vuxml: Document lang/go vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dmgk X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 597614c7aa35a47ce2f5e909aa2c66055ed89e3a Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the main branch of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jun 2021 23:17:41 -0000 The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=597614c7aa35a47ce2f5e909aa2c66055ed89e3a commit 597614c7aa35a47ce2f5e909aa2c66055ed89e3a Author: Dmitri Goutnik AuthorDate: 2021-06-03 23:11:44 +0000 Commit: Dmitri Goutnik CommitDate: 2021-06-03 23:17:28 +0000 security/vuxml: Document lang/go vulnerabilities --- security/vuxml/vuln.xml | 57 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 4580c7847793..3ec851227805 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,63 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + go -- multiple vulnerabilities + + + go + 1.16.5,1 + + + + +

The Go project reports:

+
The SetString and UnmarshalText methods of math/big.Rat may cause a + panic or an unrecoverable fatal error if passed inputs with very + large exponents.
+

+
ReverseProxy in net/http/httputil could be made to forward certain + hop-by-hop headers, including Connection. In case the target of the + ReverseProxy was itself a reverse proxy, this would let an attacker + drop arbitrary headers, including those set by the + ReverseProxy.Director.
+

+
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr + functions in net, and their respective methods on the Resolver type + may return arbitrary values retrieved from DNS which do not follow + the established RFC 1035 rules for domain names. If these names are + used without further sanitization, for instance unsafely included in + HTML, they may allow for injection of unexpected content. Note that + LookupTXT may still return arbitrary values that could require + sanitization before further use.
+

+
The NewReader and OpenReader functions in archive/zip can cause a + panic or an unrecoverable fatal error when reading an archive that + claims to contain a large number of files, regardless of its actual + size.
+

+ + + + CVE-2021-33198 + https://github.com/golang/go/issues/45910 + CVE-2021-33197 + https://github.com/golang/go/issues/46313 + CVE-2021-33195 + https://github.com/golang/go/issues/46241 + CVE-2021-33196 + https://github.com/golang/go/issues/46242 + + + 2021-05-01 + 2021-06-03 + + + aiohttp -- open redirect vulnerability