We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor releases include three security fixes following the security policy: encoding/pem: fix stack overflow in Decode A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash. Thanks to Juho Nurminen of Mattermost who reported the error. This is CVE-2022-24675 and https://go.dev/issue/51853. crypto/elliptic: tolerate all oversized scalars in generic P-256 A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. This was discovered thanks to a Project Wycheproof test vector. This is CVE-2022-28327 and https://go.dev/issue/52075. crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18 Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash. Thanks to Tailscale for doing weird things and finding this. This is CVE-2022-27536 and https://go.dev/issue/51759.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=523a34ecb8b9f0f7f93af316c902a0128480044e commit 523a34ecb8b9f0f7f93af316c902a0128480044e Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-04-13 15:15:32 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-04-13 15:15:43 +0000 dev-lang/go: drop 1.18 Bug: https://bugs.gentoo.org/838130 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 - dev-lang/go/go-1.18.ebuild | 196 --------------------------------------------- 2 files changed, 197 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afc9f3f7af49f852b1cd7460999519a086b512d9 commit afc9f3f7af49f852b1cd7460999519a086b512d9 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-04-13 15:13:22 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-04-13 15:15:42 +0000 dev-lang/go: add 1.17.9, 1.18.1 Bug: https://bugs.gentoo.org/838130 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.17.9.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.18.1.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 394 insertions(+)
Thanks! Please stable when ready.
*** Bug 839684 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-04 13:53:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-04 13:59:34 +0000 [ GLSA 202208-02 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/754210 Bug: https://bugs.gentoo.org/766216 Bug: https://bugs.gentoo.org/775326 Bug: https://bugs.gentoo.org/788640 Bug: https://bugs.gentoo.org/794784 Bug: https://bugs.gentoo.org/802054 Bug: https://bugs.gentoo.org/806659 Bug: https://bugs.gentoo.org/807049 Bug: https://bugs.gentoo.org/816912 Bug: https://bugs.gentoo.org/821859 Bug: https://bugs.gentoo.org/828655 Bug: https://bugs.gentoo.org/833156 Bug: https://bugs.gentoo.org/834635 Bug: https://bugs.gentoo.org/838130 Bug: https://bugs.gentoo.org/843644 Bug: https://bugs.gentoo.org/849290 Bug: https://bugs.gentoo.org/857822 Bug: https://bugs.gentoo.org/862822 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+)
GLSA released, all done!