Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:2186-1

Опубликовано: 28 июн. 2021
Источник: suse-cvrf

Описание

Security update for go1.16

This update for go1.16 fixes the following issues:

Update to 1.16.5.

Includes these security fixes

  • CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443).
  • CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622).
  • CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444)
  • CVE-2021-33198: math/big: (*Rat).SetString with '1.770p02041010010011001001' crashes with 'makeslice: len out of range' (bsc#1187445).

Список пакетов

Container bci/golang:1.16
go1.16-1.16.5-1.17.1
Container trento/trento-runner:latest
go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2
go1.16-1.16.5-1.17.1
go1.16-doc-1.16.5-1.17.1
go1.16-race-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP3
go1.16-1.16.5-1.17.1
go1.16-doc-1.16.5-1.17.1
go1.16-race-1.16.5-1.17.1

Ссылки

Описание

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.5-1.17.1
Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1
Ссылки

Описание

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.5-1.17.1
Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1
Ссылки

Описание

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.5-1.17.1
Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1
Ссылки

Описание

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.5-1.17.1
Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1
Ссылки
Уязвимость SUSE-SU-2021:2186-1