go

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Core compiler tools for the Go programming language
Version 2:1.23.3-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2617 2:1.17.4-1 2:1.17.5-1 Medium Fixed
AVG-2527 2:1.17.2-2 2:1.17.3-1 Low Fixed
AVG-2454 2:1.17.1-1 2:1.17.2-1 Medium Fixed
AVG-2370 2:1.17-2 2:1.17.1-1 Low Fixed
AVG-2259 2:1.16.6-1 2:1.16.7-1 Low Fixed
AVG-2147 2:1.16.5-1 2:1.16.6-1 Low Fixed
AVG-2006 2:1.16.4-1 2:1.16.5-1 Medium Fixed
AVG-1927 2:1.16.3-1 2:1.16.4-1 Low Fixed
AVG-1668 2:1.16-1 2:1.16.1-1 Low Fixed
AVG-1481 2:1.15.6-1 2:1.15.7-1 Medium Fixed
AVG-1357 2:1.16.7-1 2:1.17-1 Medium Fixed
AVG-1278 2:1.15.4-1 2:1.15.5-1 High Fixed
AVG-1215 1.15.0-1 1.15.1-1 Medium Fixed
AVG-1051 2:1.13.1-1 2:1.13.3-1 Medium Fixed
AVG-1050 2:1.12.9-1 2:1.13.1-1 High Fixed
AVG-1021 2:1.12.7-1 2:1.12.8-1 Medium Fixed
AVG-859 2:1.11.4-1 2:1.11.5-1 Medium Fixed
AVG-835 2:1.11.2-2 2:1.11.3-1 High Fixed
AVG-606 1.9.3-1 1.9.4-1 High Fixed
AVG-442 2:1.9-1 2:1.9.1-1 High Fixed
AVG-433 2:1.7-1 2:1.8-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2021-44717 AVG-2617 Medium Yes Incorrect calculation
A security issue has been found in go before version 1.17.5. When a Go program running on a Unix system is out of file descriptors and calls...
CVE-2021-44716 AVG-2617 Medium Yes Denial of service
A security issue has been found in go before version 1.17.5. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
CVE-2021-41772 AVG-2527 Low Yes Denial of service
A security issue has been found in go before version 1.17.3. Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an...
CVE-2021-41771 AVG-2527 Low Yes Denial of service
A security issue has been found in go before version 1.17.3. Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols,...
CVE-2021-39293 AVG-2370 Low Yes Denial of service
A security issue has been found in go before version 1.17.1. An oversight in the fix for CVE-2021-33196 still allows for an out of memory panic when the...
CVE-2021-38297 AVG-2454 Medium Yes Arbitrary code execution
A security issue has been found in go before version 1.17.2. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large...
CVE-2021-36221 AVG-2259 Low Yes Denial of service
A security issue has been found in Go before version 1.16.7. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with...
CVE-2021-34558 AVG-2147 Low Yes Denial of service
A security issue has been found in Go before version 1.16.6. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated...
CVE-2021-33198 AVG-2006 Low Yes Denial of service
A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable...
CVE-2021-33197 AVG-2006 Medium Yes Url request injection
A security issue has been found in Go before version 1.16.5. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers,...
CVE-2021-33196 AVG-2006 Low Yes Denial of service
A security issue has been found in Go before version 1.16.5. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it...
CVE-2021-33195 AVG-2006 Medium Yes Insufficient validation
A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their...
CVE-2021-31525 AVG-1927 Low Yes Denial of service
A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very...
CVE-2021-29923 AVG-1357 Medium Yes Access restriction bypass
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to...
CVE-2021-27919 AVG-1668 Low No Denial of service
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in...
CVE-2021-27918 AVG-1668 Low No Denial of service
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle...
CVE-2021-3115 AVG-1481 Medium No Arbitrary command execution
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on...
CVE-2021-3114 AVG-1481 Low No Incorrect calculation
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect...
CVE-2020-29511 AVG-1357 Medium No Incorrect calculation
Go's encoding/xml handles namespace prefixes on XML elements in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and...
CVE-2020-29510 AVG-1357 Medium Yes Incorrect calculation
Go's encoding/xml handles XML directives in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and xml.Encoder...
CVE-2020-29509 AVG-1357 Medium Yes Incorrect calculation
Go's encoding/xml handles namespace prefixes on XML attributes in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and...
CVE-2020-28367 AVG-1278 High Yes Arbitrary code execution
A flaw was found in go before 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on...
CVE-2020-28366 AVG-1278 High Yes Arbitrary code execution
A flaw was found in go beforer 1.15.5  where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get...
CVE-2020-28362 AVG-1278 Low No Denial of service
A flaw was found in go before 1.15.5 where a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)...
CVE-2020-24553 AVG-1215 Medium Yes Cross-site scripting
In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would...
CVE-2019-17596 AVG-1051 Medium Yes Denial of service
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,...
CVE-2019-16276 AVG-1050 High Yes Access restriction bypass
net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in...
CVE-2019-14809 AVG-1021 Medium Yes Insufficient validation
An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes...
CVE-2019-9514 AVG-1021 Medium Yes Denial of service
An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that...
CVE-2019-9512 AVG-1021 Medium Yes Denial of service
An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal...
CVE-2019-6486 AVG-859 Medium Yes Private key recovery
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker...
CVE-2018-16875 AVG-835 Medium Yes Denial of service
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might...
CVE-2018-16874 AVG-835 High Yes Directory traversal
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go...
CVE-2018-16873 AVG-835 High Yes Arbitrary command execution
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path...
CVE-2018-6574 AVG-606 High Yes Arbitrary code execution
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by...
CVE-2017-1000098 AVG-433 High Yes Denial of service
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit....
CVE-2017-15041 AVG-442 High Yes Arbitrary command execution
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that...

Advisories

Date Advisory Group Severity Type
20 Jul 2021 ASA-202107-42 AVG-2147 Low denial of service
15 Jun 2021 ASA-202106-42 AVG-2006 Medium multiple issues
20 Jan 2021 ASA-202101-27 AVG-1481 Medium multiple issues
17 Nov 2020 ASA-202011-16 AVG-1278 High multiple issues
03 Sep 2020 ASA-202009-3 AVG-1215 Medium cross-site scripting
21 Oct 2019 ASA-201910-12 AVG-1051 Medium denial of service
24 Aug 2019 ASA-201908-15 AVG-1021 Medium multiple issues
24 Jan 2019 ASA-201901-11 AVG-859 Medium private key recovery
18 Dec 2018 ASA-201812-11 AVG-835 High multiple issues
09 Feb 2018 ASA-201802-2 AVG-606 High arbitrary code execution
12 Oct 2017 ASA-201710-15 AVG-442 High arbitrary command execution