Lucene search

K
freebsdFreeBSD854C2AFB-4424-11ED-AF97-ADCABF310F9B
HistoryOct 04, 2022 - 12:00 a.m.

go -- multiple vulnerabilities

2022-10-0400:00:00
vuxml.freebsd.org
8

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

56.0%

The Go project reports:

archive/tar: unbounded memory consumption when reading
headers
Reader.Read did not set a limit on the maximum size of
file headers. A maliciously crafted archive could cause
Read to allocate unbounded amounts of memory, potentially
causing resource exhaustion or panics. Reader.Read now
limits the maximum size of header blocks to 1 MiB.

net/http/httputil: ReverseProxy should not forward
unparseable query parameters
Requests forwarded by ReverseProxy included the raw
query parameters from the inbound request, including
unparseable parameters rejected by net/http. This could
permit query parameter smuggling when a Go proxy
forwards a parameter with an unparseable value.
ReverseProxy will now sanitize the query parameters in
the forwarded query when the outbound request’s Form
field is set after the ReverseProxy.Director function
returns, indicating that the proxy has parsed the query
parameters. Proxies which do not parse query parameters
continue to forward the original query parameters
unchanged.

regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be
as high as 40,000, making relatively small regexps consume
much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB
memory footprint. Regular expressions whose
representation would use more space than that are now
rejected. Normal use of regular expressions is
unaffected.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgo118< 1.18.7UNKNOWN
FreeBSDanynoarchgo119< 1.19.2UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

56.0%

Related for 854C2AFB-4424-11ED-AF97-ADCABF310F9B