From URL: "net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616." Please bump to 1.18.4 and 1.17.12.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdf476b2d38439f8d6a0e5c2ad06fbb8e8cc82f9 commit bdf476b2d38439f8d6a0e5c2ad06fbb8e8cc82f9 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-07-14 20:21:02 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-07-14 20:21:41 +0000 dev-lang/go: add 1.17.12, 1.18.4 Bug: https://bugs.gentoo.org/857822 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.17.12.ebuild | 196 ++++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.18.4.ebuild | 196 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 394 insertions(+)
*** Bug 857177 has been marked as a duplicate of this bug. ***
Thanks! Please stable when ready.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63e7f2d9f00b58e5ed4346a0d9f9411d42a4429c commit 63e7f2d9f00b58e5ed4346a0d9f9411d42a4429c Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-08-01 22:54:59 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-08-01 22:54:59 +0000 dev-lang/go: drop 1.17.11, 1.18.3 Bug: https://bugs.gentoo.org/857822 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.17.11.ebuild | 196 ------------------------------------------ dev-lang/go/go-1.18.3.ebuild | 196 ------------------------------------------ 3 files changed, 394 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-04 13:53:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-04 13:59:34 +0000 [ GLSA 202208-02 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/754210 Bug: https://bugs.gentoo.org/766216 Bug: https://bugs.gentoo.org/775326 Bug: https://bugs.gentoo.org/788640 Bug: https://bugs.gentoo.org/794784 Bug: https://bugs.gentoo.org/802054 Bug: https://bugs.gentoo.org/806659 Bug: https://bugs.gentoo.org/807049 Bug: https://bugs.gentoo.org/816912 Bug: https://bugs.gentoo.org/821859 Bug: https://bugs.gentoo.org/828655 Bug: https://bugs.gentoo.org/833156 Bug: https://bugs.gentoo.org/834635 Bug: https://bugs.gentoo.org/838130 Bug: https://bugs.gentoo.org/843644 Bug: https://bugs.gentoo.org/849290 Bug: https://bugs.gentoo.org/857822 Bug: https://bugs.gentoo.org/862822 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+)
GLSA released, all done!
