git: f35fdab00d95 - main - security/vuxml: Document Go vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 07 Jun 2022 12:37:35 UTC
The branch main has been updated by dmgk:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f35fdab00d959816a98d417e04f815ff9b30acc0
commit f35fdab00d959816a98d417e04f815ff9b30acc0
Author: Dmitri Goutnik <dmgk@FreeBSD.org>
AuthorDate: 2022-06-07 12:33:03 +0000
Commit: Dmitri Goutnik <dmgk@FreeBSD.org>
CommitDate: 2022-06-07 12:36:39 +0000
security/vuxml: Document Go vulnerabilities
---
security/vuxml/vuln-2022.xml | 65 ++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 63 insertions(+), 2 deletions(-)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index a69336426891..a50b1a98a85d 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,64 @@
+ <vuln vid="15888c7e-e659-11ec-b7fe-10c37b4ac2ea">
+ <topic>go -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>go118</name>
+ <range><lt>1.18.3</lt></range>
+ </package>
+ <package>
+ <name>go117</name>
+ <range><lt>1.17.11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Go project reports:</p>
+ <blockquote cite="https://go.dev/issue/52561">
+ <p>crypto/rand: rand.Read hangs with extremely large buffers</p>
+ <p>On Windows, rand.Read will hang indefinitely if passed a
+ buffer larger than 1 << 32 - 1 bytes.</p>
+ </blockquote>
+ <blockquote cite="https://go.dev/issue/52814">
+ <p>crypto/tls: session tickets lack random ticket_age_add</p>
+ <p>Session tickets generated by crypto/tls did not contain
+ a randomly generated ticket_age_add. This allows an
+ attacker that can observe TLS handshakes to correlate
+ successive connections by comparing ticket ages during
+ session resumption.</p>
+ </blockquote>
+ <blockquote cite="https://go.dev/issue/52574">
+ <p>os/exec: empty Cmd.Path can result in running unintended
+ binary on Windows</p>
+ <p>If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
+ cmd.CombinedOutput are executed when Cmd.Path is unset
+ and, in the working directory, there are binaries named
+ either "..com" or "..exe", they will be executed.</p>
+ </blockquote>
+ <blockquote cite="https://go.dev/issue/52476">
+ <p>path/filepath: Clean(`.\c:`) returns `c:` on Windows</p>
+ <p>On Windows, the filepath.Clean function could convert an
+ invalid path to a valid, absolute path. For example,
+ Clean(`.\c:`) returned `c:`.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://groups.google.com/g/golang-dev/c/DidEMYAH_n0</url>
+ <cvename>CVE-2022-30634</cvename>
+ <url>https://go.dev/issue/52561</url>
+ <cvename>CVE-2022-30629</cvename>
+ <url>https://go.dev/issue/52814</url>
+ <cvename>CVE-2022-30580</cvename>
+ <url>https://go.dev/issue/52574</url>
+ <cvename>CVE-2022-29804</cvename>
+ <url>https://go.dev/issue/52476</url>
+ </references>
+ <dates>
+ <discovery>2022-06-01</discovery>
+ <entry>2022-06-07</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a58f3fde-e4e0-11ec-8340-2d623369b8b5">
<topic>e2fsprogs -- out-of-bounds read/write vulnerability</topic>
<affects>
@@ -331,7 +392,7 @@
</package>
<package>
<name>go117</name>
- <range><lt>1.17.10,1</lt></range>
+ <range><lt>1.17.10</lt></range>
</package>
</affects>
<description>
@@ -682,7 +743,7 @@
</package>
<package>
<name>go117</name>
- <range><lt>1.17.9,1</lt></range>
+ <range><lt>1.17.9</lt></range>
</package>
</affects>
<description>