CVE-2023-39326 (https://github.com/golang/go/issues/64433): net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. CVE-2023-45285 (https://github.com/golang/go/issues/63845): cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). CVE-2023-45283 (https://github.com/golang/go/issues/64028): path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. The above are fixed in 1.21.5 and 1.20.12
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb4f581b70aa5d8223bdd8482d7376ad219286c9 commit cb4f581b70aa5d8223bdd8482d7376ad219286c9 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2023-12-11 22:06:44 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2023-12-11 22:06:44 +0000 dev-lang/go: add 1.20.12, 1.21.5 Bug: https://bugs.gentoo.org/919310 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.20.12.ebuild | 210 ++++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.21.5.ebuild | 210 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 422 insertions(+)
Actually, we still need to deal with 1.20.12 on x86 somehow, which wasn't stabled in the stablereq.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b39e7fe8e9e50ec8e24cb8b9f3db5334d3600aff commit b39e7fe8e9e50ec8e24cb8b9f3db5334d3600aff Author: Matoro Mahri <matoro_gentoo@matoro.tk> AuthorDate: 2024-01-06 23:30:25 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-07 00:39:10 +0000 profiles/arch/x86: mask <dev-lang/go-1.21 Bug: https://bugs.gentoo.org/919310 Bug: https://bugs.gentoo.org/921366 Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk> Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/arch/x86/package.mask | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd3ed6d8499370cd6fbdeec37d347177a1070987 commit dd3ed6d8499370cd6fbdeec37d347177a1070987 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2024-01-08 16:11:55 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-01-08 16:12:30 +0000 dev-lang/go: drop 1.21.4 Bug: https://bugs.gentoo.org/919310 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 - dev-lang/go/go-1.21.4.ebuild | 210 ------------------------------------------- 2 files changed, 211 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef656a3906cbd7db2d89a25ed890901f8c61ee2b commit ef656a3906cbd7db2d89a25ed890901f8c61ee2b Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2024-01-08 16:10:22 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-01-08 16:12:29 +0000 dev-lang/go: drop 1.20.11 Bug: https://bugs.gentoo.org/919310 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 - dev-lang/go/go-1.20.11.ebuild | 210 ------------------------------------------ 2 files changed, 211 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ec7d3c7515acf6f1890cb4bd01cca086f31ced54 commit ec7d3c7515acf6f1890cb4bd01cca086f31ced54 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 09:30:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 09:30:29 +0000 [ GLSA 202408-07 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/906043 Bug: https://bugs.gentoo.org/919310 Bug: https://bugs.gentoo.org/926530 Bug: https://bugs.gentoo.org/928539 Bug: https://bugs.gentoo.org/931602 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-07.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+)