CVE-2022-27664: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-32190: JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb7ed3d2512226820595a4a6bcb7be32d2dfbe13 commit cb7ed3d2512226820595a4a6bcb7be32d2dfbe13 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-09-09 02:53:39 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-09-09 02:53:59 +0000 dev-lang/go: drop 1.19 Bug: https://bugs.gentoo.org/869002 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 - dev-lang/go/go-1.19.ebuild | 196 --------------------------------------------- 2 files changed, 197 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da461387f8ceefb7669f70c2f629bf5384e6ae25 commit da461387f8ceefb7669f70c2f629bf5384e6ae25 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-09-09 02:53:10 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-09-09 02:53:59 +0000 dev-lang/go: add 1.19.1 Bug: https://bugs.gentoo.org/869002 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.19.1.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b83d742a161d788d4b27f93dbd5ae25e4ebb38a4 commit b83d742a161d788d4b27f93dbd5ae25e4ebb38a4 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-09-09 02:51:18 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-09-09 02:53:59 +0000 dev-lang/go: add 1.18.6 Bug: https://bugs.gentoo.org/869002 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.18.6.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=8d08382354928e9d71104918346d369c32ee3db6 commit 8d08382354928e9d71104918346d369c32ee3db6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:25:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-26 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/869002 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-26.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
All done!
