Lucene search

K
mageiaGentoo FoundationMGASA-2022-0356
HistoryOct 05, 2022 - 8:23 a.m.

Updated golang packages fix security vulnerability

2022-10-0508:23:49
Gentoo Foundation
advisories.mageia.org
28
golang
security
vulnerability
http/2
denial of service
cve-2022-27664
cve-2022-32190
joinpath
url.joinpath
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

62.1%

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664) JoinPath and URL.JoinPath do not remove …/ path elements appended to a relative path. For example, JoinPath(“https://go.dev”, “…/go”) returns the URL “https://go.dev/../go”, despite the JoinPath documentation stating that …/ path elements are removed from the result. (CVE-2022-32190)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchgolang< 1.18.6-1golang-1.18.6-1.mga8

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

62.1%