svn commit: r562103 - head/security/vuxml
Dmitri Goutnik
dmgk at FreeBSD.org
Wed Jan 20 00:25:53 UTC 2021
Author: dmgk
Date: Wed Jan 20 00:25:52 2021
New Revision: 562103
URL: https://svnweb.freebsd.org/changeset/ports/562103
Log:
security/vuxml: Document lang/go vulnerabilities
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jan 19 23:54:51 2021 (r562102)
+++ head/security/vuxml/vuln.xml Wed Jan 20 00:25:52 2021 (r562103)
@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9">
+ <topic>go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve</topic>
+ <affects>
+ <package>
+ <name>go</name>
+ <range><lt>1.15.7,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Go project reports:</p>
+ <blockquote cite="https://github.com/golang/go/issues/43783">
+ <p>The go command may execute arbitrary code at build time when cgo is
+ in use on Windows. This may occur when running "go get", or
+ any other command that builds code. Only users who build untrusted
+ code (and don't execute it) are affected. In addition to Windows
+ users, this can also affect Unix users who have "." listed
+ explicitly in their PATH and are running "go get" or build
+ commands outside of a module or with module mode disabled.</p>
+ </blockquote>
+ <blockquote cite="https://github.com/golang/go/issues/43786">
+ <p>The P224() Curve implementation can in rare circumstances generate
+ incorrect outputs, including returning invalid points from
+ ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not
+ crypto/tls) packages support P-224 ECDSA keys, but they are not
+ supported by publicly trusted certificate authorities. No other
+ standard library or golang.org/x/crypto package supports or uses the
+ P-224 curve.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-3115</cvename>
+ <url>http://golang.org/issue/43783</url>
+ <cvename>CVE-2021-3114</cvename>
+ <url>http://golang.org/issue/43786</url>
+ </references>
+ <dates>
+ <discovery>2021-01-13</discovery>
+ <entry>2021-01-19</entry>
+ </dates>
+ </vuln>
+
<vuln vid="8899298f-5a92-11eb-8558-3085a9a47796">
<topic>cloud-init -- Wrong access permissions of authorized keys</topic>
<affects>
More information about the svn-ports-head
mailing list