Date: Thu, 6 May 2021 20:13:06 GMT From: Dmitri Goutnik <dmgk@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: bf7bd67c9b10 - main - security/vuxml: Document lang/go vulnerability Message-ID: <202105062013.146KD6a1094661@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=bf7bd67c9b107d54328577a2e71b467090b180c4 commit bf7bd67c9b107d54328577a2e71b467090b180c4 Author: Dmitri Goutnik <dmgk@FreeBSD.org> AuthorDate: 2021-05-06 20:10:31 +0000 Commit: Dmitri Goutnik <dmgk@FreeBSD.org> CommitDate: 2021-05-06 20:12:51 +0000 security/vuxml: Document lang/go vulnerability --- security/vuxml/vuln.xml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 62c7279178d7..8b5747c6b00b 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,36 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="7f242313-aea5-11eb-8151-67f74cf7c704"> + <topic>go -- net/http: ReadRequest can stack overflow due to recursion with very large headers</topic> + <affects> + <package> + <name>go</name> + <range><lt>1.16.4,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Go project reports:</p> + <blockquote cite="https://github.com/golang/go/issues/45710">; + <p>http.ReadRequest can stack overflow due to recursion when given a + request with a very large header (~8-10MB depending on the + architecture). A http.Server which overrides the default max header + of 1MB by setting Server.MaxHeaderBytes to a much larger value could + also be vulnerable in the same way.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-31525</cvename> + <url>https://github.com/golang/go/issues/45710</url>; + </references> + <dates> + <discovery>2021-04-22</discovery> + <entry>2021-05-06</entry> + </dates> + </vuln> + <vuln vid="50ec3a01-ad77-11eb-8528-8c164582fbac"> <topic>Ansible -- Insecure Temporary File</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105062013.146KD6a1094661>