5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Fri, 8 Mar 2024 13:37:09 -0800

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg announces the
releases of Go 1.22.1 and Go 1.21.8 containing fixes for 5 CVEs:

&gt;- crypto/x509: Verify panics on certificates with an unknown public key
&gt;  algorithm
&gt;
&gt;  Verifying a certificate chain which contains a certificate with an
&gt;  unknown public key algorithm will cause Certificate.Verify to panic.
&gt;
&gt;  This affects all crypto/tls clients, and servers that set Config.ClientAuth
&gt;  to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
&gt;  behavior is for TLS servers to not verify client certificates.
&gt;
&gt;  Thanks to John Howard (Google) for reporting this issue.
&gt;
&gt;  This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.
&gt;
&gt;- net/http: memory exhaustion in Request.ParseMultipartForm
&gt;
&gt;  When parsing a multipart form (either explicitly with
&gt;  Request.ParseMultipartForm or implicitly with Request.FormValue,
&gt;  Request.PostFormValue, or Request.FormFile), limits on the total size of
&gt;  the parsed form were not applied to the memory consumed while reading a
&gt;  single form line. This permitted a maliciously crafted input containing
&gt;  very long lines to cause allocation of arbitrarily large amounts of memory,
&gt;  potentially leading to memory exhaustion.
&gt;
&gt;  ParseMultipartForm now correctly limits the maximum size of form lines.
&gt;
&gt;  Thanks to Bartek Nowotarski for reporting this issue.
&gt;
&gt;  This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.
&gt;
&gt;- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers
&gt;  and cookies on HTTP redirect
&gt;
&gt;  When following an HTTP redirect to a domain which is not a subdomain match
&gt;  or exact match of the initial domain, an http.Client does not forward
&gt;  sensitive headers such as "Authorization" or "Cookie". For example, a
&gt;  redirect from foo.com to www.foo.com will forward the Authorization header,
&gt;  but a redirect to bar.com will not.
&gt;
&gt;  A maliciously crafted HTTP redirect could cause sensitive headers to be
&gt;  unexpectedly forwarded.
&gt;
&gt;  Thanks to Juho Nurminen of Mattermost for reporting this issue.
&gt;
&gt;  This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.
&gt;
&gt;- html/template: errors returned from MarshalJSON methods may break template
&gt;  escaping
&gt;
&gt;  If errors returned from MarshalJSON methods contain user controlled data,
&gt;  they may be used to break the contextual auto-escaping behavior of the
&gt;  html/template package, allowing for subsequent actions to inject unexpected
&gt;  content into templates.
&gt;
&gt;  Thanks to RyotaK (https://ryotak.net) for reporting this issue.
&gt;
&gt;  This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.
&gt;
&gt;- net/mail: comments in display names are incorrectly handled
&gt;
&gt;  The ParseAddressList function incorrectly handles comments (text within
&gt;  parentheses) within display names. Since this is a misalignment with
&gt;  conforming address parsers, it can result in different trust decisions
&gt;  being made by programs using different parsers.
&gt;
&gt;  Thanks to Juho Nurminen of Mattermost and Slonser
&gt;  (https://github.com/Slonser) for reporting this issue.
&gt;
&gt;  This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.

Separately, one more CVE fix was reported in
https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/m/oLMrdq_GBQAJ :

&gt; Version v1.33.0  of the google.golang.org/protobuf module fixes a bug in
&gt; the google.golang.org/protobuf/encoding/protojson package which could cause
&gt; the Unmarshal function to enter an infinite loop when handling some invalid
&gt; inputs. This condition could only occur when unmarshaling into a message
&gt; which contains a google.protobuf.Any value, or when the
&gt; UnmarshalOptions.UnmarshalUnknown option is set. Unmarshal now correctly
&gt; returns an error when handling these inputs.
&gt;
&gt; This is CVE-2024-24786.

Though note the followup message on that page:

&gt; A small correction: This vulnerability applies when the
&gt; UnmarshalOptions.DiscardUnknown option is set (as well as when unmarshaling
&gt; into any message which contains a google.protobuf.Any). There is no
&gt; UnmarshalUnknown option.
&gt;
&gt; In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
&gt; introduced an incompatibility with the older github.com/golang/protobuf
&gt; module. (https://github.com/golang/protobuf/issues/1596) Users of the older
&gt; module should update to https://github.com/golang/protobuf/releases/tag/v1.5.4

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf Alan Coopersmith (Mar 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->