golang: regexp/syntax: limit memory used by parsing regexps

A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as...

XSS vulnerabilities via various embeds

Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...

RHEL 9 : golang-github-cpuguy83-md2man (RHSA-2023:2592)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2023:2592 advisory. go-md2man converts markdown into roff man pages. Security Fixes: golang: regexp/syntax: limit memory used by parsing regexps CVE-2022-41715 For more...

Moderate: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severi...

ALSA-2023:2592 Moderate: golang-github-cpuguy83-md2man security, bug fix, and enhancement update

go-md2man converts markdown into roff man pages. Security Fixes: golang: regexp/syntax: limit memory used by parsing regexps CVE-2022-41715 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed...

ALSA-2023:0446 Moderate: go-toolset:rhel8 security and bug fix update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters...

go-toolset and golang security and bug fix update

An update is available for golang, go-toolset. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Go Toolset provides the Go programming language tools and librarie...

Moderate: go-toolset and golang security and bug fix update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputi...

ALSA-2023:0328 Moderate: go-toolset and golang security and bug fix update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputi...

FreeBSD : go -- multiple vulnerabilities (854c2afb-4424-11ed-af97-adcabf310f9b)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 854c2afb-4424-11ed-af97-adcabf310f9b advisory. - The Go project reports: archive/tar: unbounded memory consumption when reading headers...

go -- multiple vulnerabilities

The Go project reports: archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics...

golang: regexp: stack exhaustion via a deeply nested expression

A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large...

golang: regexp: stack exhaustion via a deeply nested expression

A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large...

CVE-2022-24921

A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large...

GHSA-QG54-694P-WGPP Regular expression denial of service vulnerability (ReDoS) in date

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. The fix limits the input length up to 128 bytes by default...

Regular expression denial of service vulnerability (ReDoS) in date

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. The fix limits the input length up to 128 bytes by default...