Arch Linux Security Advisory ASA-202106-42 ========================================== Severity: Medium Date : 2021-06-15 CVE-ID : CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2006 Summary ======= The package go before version 2:1.16.5-1 is vulnerable to multiple issues including insufficient validation, url request injection and denial of service. Resolution ========== Upgrade to 2:1.16.5-1. # pacman -Syu "go>=2:1.16.5-1" The problems have been fixed upstream in version 1.16.5. Workaround ========== None. Description =========== - CVE-2021-33195 (insufficient validation) A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. - CVE-2021-33196 (denial of service) A security issue has been found in Go before version 1.16.5. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion. - CVE-2021-33197 (url request injection) A security issue has been found in Go before version 1.16.5. ReverseProxy in net/http/httputil could be made to forward certain hop- by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. - CVE-2021-33198 (denial of service) A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. Impact ====== An attacker could crash an application with crafted input, inject malicious and unexpected content or drop HTTP headers by posing as a reverse proxy. References ========== https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ https://github.com/golang/go/issues/46241 https://github.com/golang/go/commit/df6a737cc899507d3090e995abd1e1ed1a30cee3 https://github.com/golang/go/issues/46242 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912 https://github.com/golang/go/commit/895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7 https://github.com/golang/go/issues/46313 https://github.com/golang/go/commit/0410005dc458f23fb15f64354f9a24ca8f2fe044 https://github.com/golang/go/issues/45910 https://github.com/golang/go/commit/9210eaf7dc704612a6eda97c482012f779fd833b https://security.archlinux.org/CVE-2021-33195 https://security.archlinux.org/CVE-2021-33196 https://security.archlinux.org/CVE-2021-33197 https://security.archlinux.org/CVE-2021-33198