Search CVE reports
11 – 20 of 29 results
Some fixes available 3 of 31
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event...
16 affected packages
golang-1.22, golang-1.23, golang-1.21, golang, golang-1.6...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-1.22 | Fixed | Fixed | Needs evaluation | — |
| golang-1.23 | Needs evaluation | Needs evaluation | Not in release | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
| golang | Not in release | Not in release | Not in release | Not in release |
| golang-1.6 | Not in release | Not in release | Not in release | Not in release |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | Not in release |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Needs evaluation | Not in release | Not in release |
| golang-1.18 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.19 | Not in release | Not in release | Not in release | Not in release |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | Not in release |
| golang-1.24 | Not in release | Not in release | Not in release | — |
Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.
15 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Needs evaluation | Not in release | — |
| golang-1.18 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Not affected | Not affected | Needs evaluation | — |
| golang-1.23 | Needs evaluation | Needs evaluation | Not in release | — |
| golang-1.24 | Not in release | Not in release | Not in release | — |
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected...
15 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Needs evaluation | Not in release | — |
| golang-1.18 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Not affected | Not affected | Needs evaluation | — |
| golang-1.23 | Needs evaluation | Needs evaluation | Not in release | — |
| golang-1.24 | Not in release | Not in release | Not in release | — |
Some fixes available 8 of 26
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Fixed | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Fixed | — |
Some fixes available 8 of 26
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Fixed | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Fixed | — |
Some fixes available 8 of 26
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Fixed | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Fixed | — |
Some fixes available 8 of 29
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an...
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Fixed | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Fixed | — |
Some fixes available 5 of 26
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing...
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Fixed | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Not affected | Not affected | Not affected | — |
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs....
14 affected packages
golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Not affected |
| golang-1.9 | Not in release | Not in release | Not in release | Not affected |
| golang-1.10 | Not in release | Not in release | Not in release | Not affected |
| golang-1.13 | Not in release | Not affected | Not affected | Not affected |
| golang-1.14 | Not in release | Not in release | Not affected | — |
| golang-1.16 | Not in release | Not in release | Not affected | Not affected |
| golang-1.17 | Not in release | Not affected | Not in release | — |
| golang-1.18 | Not in release | Not affected | Not affected | Not affected |
| golang-1.19 | Not in release | Not in release | Not in release | — |
| golang-1.20 | Not in release | Not affected | Not affected | — |
| golang-1.21 | Not affected | Not affected | Not affected | — |
| golang-1.22 | Not affected | Not affected | Not affected | — |
Some fixes available 10 of 26
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
9 affected packages
golang-1.10, golang-1.13, golang-1.14, golang-1.16, golang-1.17...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Needs evaluation | Not in release | — |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Fixed | — |
| golang-1.21 | Fixed | Fixed | Fixed | — |