Описание
Security update for go1.15
This update for go1.15 fixes the following issues:
Update to 1.15.13.
Includes these security fixes
- CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443).
- CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622).
- CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444)
- CVE-2021-33198: math/big: (*Rat).SetString with '1.770p02041010010011001001' crashes with 'makeslice: len out of range' (bsc#1187445).
Список пакетов
openSUSE Leap 15.3
Ссылки
- E-Mail link for openSUSE-SU-2021:2214-1
- SUSE Security Ratings
- SUSE Bug 1175132
- SUSE Bug 1186622
- SUSE Bug 1187443
- SUSE Bug 1187444
- SUSE Bug 1187445
- SUSE CVE CVE-2021-33195 page
- SUSE CVE CVE-2021-33196 page
- SUSE CVE CVE-2021-33197 page
- SUSE CVE CVE-2021-33198 page
Описание
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
Затронутые продукты
Ссылки
- CVE-2021-33195
- SUSE Bug 1187443
Описание
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
Затронутые продукты
Ссылки
- CVE-2021-33196
- SUSE Bug 1186622
- SUSE Bug 1190589
Описание
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
Затронутые продукты
Ссылки
- CVE-2021-33197
- SUSE Bug 1187444
Описание
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Затронутые продукты
Ссылки
- CVE-2021-33198
- SUSE Bug 1187445