Format: 1.8 Date: Wed, 03 Jan 2024 12:35:19 +0100 Source: golang-1.13 Binary: golang-1.13-go golang-1.13-src Architecture: armhf Version: 1.13.8-1ubuntu1.2 Distribution: focal Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: David Fernandez Gonzalez Description: golang-1.13-go - Go programming language compiler, linker, compiled stdlib golang-1.13-src - Go programming language - source files Changes: golang-1.13 (1.13.8-1ubuntu1.2) focal-security; urgency=medium . * SECURITY UPDATE: http request smuggling issue - debian/patches/CVE-2022-1705.patch: don't strip whitespace from Transfer-Encoding headers. - CVE-2022-1705 * SECURITY UPDATE: DoS issue due to panic - debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2. - debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than recursive. - debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in Reader.Read. - debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob. - debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal. - debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields. - debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode. - debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2. - debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of MIME header keys. - CVE-2022-27664 - CVE-2022-28131 - CVE-2022-30631 - CVE-2022-30632 - CVE-2022-30633 - CVE-2022-30635 - CVE-2022-32189 - CVE-2022-41717 - CVE-2023-24534 * SECURITY UPDATE: out-of-bound read issue - debian/patches/CVE-2022-2879.patch: limit size of headers. - debian/source/include-binaries: add test file bz2 pax-bad-hdr-large.tar.bz2. - CVE-2022-2879 * SECURITY UPDATE: query parameter smuggling issue in Go proxy - debian/patches/CVE-2022-2880-pre.patch: reject query values with semicolons. - debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling. - CVE-2022-2880 * SECURITY UPDATE: tls session takeover vulnerability - debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add. - CVE-2022-30629 * SECURITY UPDATE: sensitive information exposure - debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone. - CVE-2022-32148 * SECURITY UPDATE: integer overflow issue - debian/patches/CVE-2023-24537.patch: reject large line and column number in //line directives. - CVE-2023-24537 * SECURITY UPDATE: code injection vulnerability - debian/patches/CVE-2023-24538.patch: disallow actions in JS template literals. - CVE-2023-24538 Checksums-Sha1: ad66ff91732ec6e0eecf44183a65cbf461510689 43486736 golang-1.13-go_1.13.8-1ubuntu1.2_armhf.deb f29ee45046a993821192a35c41bac8497d53c980 12623584 golang-1.13-src_1.13.8-1ubuntu1.2_armhf.deb aeeeb5c3f60f9fee099caac45456757e5153a763 5673 golang-1.13_1.13.8-1ubuntu1.2_armhf.buildinfo Checksums-Sha256: 1778e59e6a56cc33067cfe0689ff671c08192c52d95166cc3dddd1160b3c4e23 43486736 golang-1.13-go_1.13.8-1ubuntu1.2_armhf.deb 732ca69b7f4c10814a5b9cbf64c269d5772a2d3b2065a29cf59f70b708d8fdb4 12623584 golang-1.13-src_1.13.8-1ubuntu1.2_armhf.deb ab616109af62ade8a1238a5b56e743d7f043b7725c5aa73036a1d62338725999 5673 golang-1.13_1.13.8-1ubuntu1.2_armhf.buildinfo Files: 31cc21fb749dec7f421fe1a644ecbad7 43486736 devel optional golang-1.13-go_1.13.8-1ubuntu1.2_armhf.deb e3770c64cc0f5deabcb3a451aacab6e3 12623584 devel optional golang-1.13-src_1.13.8-1ubuntu1.2_armhf.deb 95aacfe6e7035970c5aac4529352c43f 5673 devel optional golang-1.13_1.13.8-1ubuntu1.2_armhf.buildinfo Original-Maintainer: Go Compiler Team