Rocky Linux 8 : container-tools:3.0 (RLSA-2022:7529)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7529 advisory. - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if...

Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-128)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-128 advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating chunked encoding. This issue could allow request smuggling, but only if combined with an...

Moderate: Red Hat Security Advisory: container-tools:4.0 security and bug fix update

An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

golang: encoding/xml: stack exhaustion in Unmarshal

A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion...

golang: encoding/xml: stack exhaustion in Decoder.Skip

A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability...

ALSA-2023:2758 Moderate: container-tools:rhel8 security, bug fix, and enhancement update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: net/http: improper sanitization of Transfer-Encoding header CVE-2022-1705 golang: go/parser: stack exhaustion in all Parse functions CVE-2022-1962 golang:...

Amazon Linux 2023 : golist (ALAS2023-2023-046)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-046 advisory. 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid...

SUSE CVE-2020-29509

The encoding/xml package in Go all versions does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications...

SUSE CVE-2020-29510

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications...

SUSE CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method...

SUSE CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

golang: encoding/xml: stack exhaustion in Unmarshal

A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion...

Moderate: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update

The Migration Toolkit for Containers MTC 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Oracle Linux 8 : container-tools:3.0 (ELSA-2022-7529)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7529 advisory. - fixes CVE-2021-3602 - amend CVE-2022-1708 - fix CVE-2022-1708 - thanks to Peter Hunt - fix CVE-2022-27650 - fixes CVE-2021-3602 - rc95 fixes...

golang: encoding/xml: stack exhaustion in Decoder.Skip

A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability...

Moderate: Red Hat Security Advisory: container-tools:3.0 security update

An update for the container-tools:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

golang: encoding/xml: stack exhaustion in Unmarshal

A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion...

golang: encoding/xml: stack exhaustion in Decoder.Skip

A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability...

container-tools:3.0 security update

An update is available for fuse-overlayfs, container-selinux, udica, runc, toolbox, podman, conmon, skopeo, crun, libslirp, oci-seccomp-bpf-hook, slirp4netns, containernetworking-plugins, buildah, criu, cockpit-podman. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS...

EulerOS 2.0 SP5 : golang (EulerOS-SA-2022-2710)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to...