USN-6038-2

See a problem?

Source

https://ubuntu.com/security/notices/USN-6038-2

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6038-2.json

JSON Data

https://api.osv.dev/v1/vulns/USN-6038-2

Related

Published

2024-01-09T13:08:13.774987Z

Modified

2024-01-09T13:08:13.774987Z

Summary

golang-1.13, golang-1.16 vulnerabilities

Details

USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16.

CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16.

Original advisory details:

It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. (CVE-2022-1705)

It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)

It was discovered that Go did not properly implemented the maximum size of file headers in Reader.Read. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2022-2879)

It was discovered that the Go net/http module incorrectly handled query parameters in requests forwarded by ReverseProxy. A remote attacker could possibly use this issue to perform an HTTP Query Parameter Smuggling attack. (CVE-2022-2880)

It was discovered that Go did not properly manage the permissions for Faccessat function. A attacker could possibly use this issue to expose sensitive information. (CVE-2022-29526)

It was discovered that Go did not properly generate the values for ticketageadd in session tickets. An attacker could possibly use this issue to observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. (CVE-2022-30629)

It was discovered that Go did not properly manage client IP addresses in net/http. An attacker could possibly use this issue to cause ReverseProxy to set the client IP as the value of the X-Forwarded-For header. (CVE-2022-32148)

It was discovered that Go did not properly validate backticks (`) as Javascript string delimiters, and do not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template. (CVE-2023-24538)

References

Affected packages

Ubuntu:Pro:16.04:LTS / golang-1.13

Package

Name: golang-1.13
Purl: pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~16.04.3+esm3?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.8-1ubuntu1~16.04.3+esm3

Affected versions

1.*

1.13.8-1ubuntu1~16.04.2

1.13.8-1ubuntu1~16.04.3

1.13.8-1ubuntu1~16.04.3+esm2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "golang-1.13-go-dbgsym": "1.13.8-1ubuntu1~16.04.3+esm3",
            "golang-1.13-go": "1.13.8-1ubuntu1~16.04.3+esm3",
            "golang-1.13-doc": "1.13.8-1ubuntu1~16.04.3+esm3",
            "golang-1.13-src": "1.13.8-1ubuntu1~16.04.3+esm3",
            "golang-1.13": "1.13.8-1ubuntu1~16.04.3+esm3"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / golang-1.13

Package

Name: golang-1.13
Purl: pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~18.04.4+esm1?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.8-1ubuntu1~18.04.4+esm1

Affected versions

1.*

1.13.8-1ubuntu1~18.04.2

1.13.8-1ubuntu1~18.04.3

1.13.8-1ubuntu1~18.04.4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "golang-1.13-go-dbgsym": "1.13.8-1ubuntu1~18.04.4+esm1",
            "golang-1.13-go": "1.13.8-1ubuntu1~18.04.4+esm1",
            "golang-1.13-doc": "1.13.8-1ubuntu1~18.04.4+esm1",
            "golang-1.13-src": "1.13.8-1ubuntu1~18.04.4+esm1",
            "golang-1.13": "1.13.8-1ubuntu1~18.04.4+esm1"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / golang-1.16

Package

Name: golang-1.16
Purl: pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~18.04.2+esm1?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.2-0ubuntu1~18.04.2+esm1

Affected versions

1.*

1.16.2-0ubuntu1~18.04.2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "golang-1.16": "1.16.2-0ubuntu1~18.04.2+esm1",
            "golang-1.16-doc": "1.16.2-0ubuntu1~18.04.2+esm1",
            "golang-1.16-go": "1.16.2-0ubuntu1~18.04.2+esm1",
            "golang-1.16-go-dbgsym": "1.16.2-0ubuntu1~18.04.2+esm1",
            "golang-1.16-src": "1.16.2-0ubuntu1~18.04.2+esm1"
        }
    ]
}

Ubuntu:20.04:LTS / golang-1.13

Package

Name: golang-1.13
Purl: pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1.2?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.8-1ubuntu1.2

Affected versions

1.*

1.13.1-1ubuntu1

1.13.3-1ubuntu1

1.13.4-1ubuntu1

1.13.5-1ubuntu1

1.13.6-1ubuntu1

1.13.6-2ubuntu1

1.13.7-1ubuntu1

1.13.8-1ubuntu1

1.13.8-1ubuntu1.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "golang-1.13-go-dbgsym": "1.13.8-1ubuntu1.2",
            "golang-1.13-go": "1.13.8-1ubuntu1.2",
            "golang-1.13-doc": "1.13.8-1ubuntu1.2",
            "golang-1.13-src": "1.13.8-1ubuntu1.2",
            "golang-1.13": "1.13.8-1ubuntu1.2"
        }
    ]
}

Ubuntu:20.04:LTS / golang-1.16

Package

Name: golang-1.16
Purl: pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~20.04.1?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.2-0ubuntu1~20.04.1

Affected versions

1.*

1.16.2-0ubuntu1~20.04

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "golang-1.16": "1.16.2-0ubuntu1~20.04.1",
            "golang-1.16-doc": "1.16.2-0ubuntu1~20.04.1",
            "golang-1.16-go": "1.16.2-0ubuntu1~20.04.1",
            "golang-1.16-go-dbgsym": "1.16.2-0ubuntu1~20.04.1",
            "golang-1.16-src": "1.16.2-0ubuntu1~20.04.1"
        }
    ]
}

Ubuntu:22.04:LTS / golang-1.13

Package

Name: golang-1.13
Purl: pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu2.22.04.2?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.8-1ubuntu2.22.04.2

Affected versions

1.*

1.13.8-1ubuntu2

1.13.8-1ubuntu2.22.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "golang-1.13-go-dbgsym": "1.13.8-1ubuntu2.22.04.2",
            "golang-1.13-go": "1.13.8-1ubuntu2.22.04.2",
            "golang-1.13-doc": "1.13.8-1ubuntu2.22.04.2",
            "golang-1.13-src": "1.13.8-1ubuntu2.22.04.2",
            "golang-1.13": "1.13.8-1ubuntu2.22.04.2"
        }
    ]
}