========================================================================== Ubuntu Security Notice USN-6038-2 January 09, 2024
golang-1.13, golang-1.16 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Go. Software Description: - golang-1.13: Go programming language compiler - golang-1.16: Go programming language compiler Details: USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. Original advisory details: It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. (CVE-2022-1705) It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2023-24534, CVE-2023-24537) It was discovered that Go did not properly implemented the maximum size of file headers in Reader.Read. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2022-2879) It was discovered that the Go net/http module incorrectly handled query parameters in requests forwarded by ReverseProxy. A remote attacker couldpossibly use this issue to perform an HTTP Query Parameter Smuggling attack.
(CVE-2022-2880) It was discovered that Go did not properly manage the permissions for Faccessat function. A attacker could possibly use this issue to expose sensitive information. (CVE-2022-29526) It was discovered that Go did not properly generate the values for ticket_age_add in session tickets. An attacker could possibly use this issue to observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. (CVE-2022-30629) It was discovered that Go did not properly manage client IP addresses in net/http. An attacker could possibly use this issue to cause ReverseProxy to set the client IP as the value of the X-Forwarded-For header. (CVE-2022-32148) It was discovered that Go did not properly validate backticks (`) as Javascript string delimiters, and do not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template. (CVE-2023-24538) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: golang-1.13 1.13.8-1ubuntu2.22.04.2 golang-1.13-go 1.13.8-1ubuntu2.22.04.2 golang-1.13-src 1.13.8-1ubuntu2.22.04.2 Ubuntu 20.04 LTS: golang-1.13 1.13.8-1ubuntu1.2 golang-1.13-go 1.13.8-1ubuntu1.2 golang-1.13-src 1.13.8-1ubuntu1.2 golang-1.16 1.16.2-0ubuntu1~20.04.1 golang-1.16-go 1.16.2-0ubuntu1~20.04.1 golang-1.16-src 1.16.2-0ubuntu1~20.04.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): golang-1.13 1.13.8-1ubuntu1~18.04.4+esm1 golang-1.13-go 1.13.8-1ubuntu1~18.04.4+esm1 golang-1.13-src 1.13.8-1ubuntu1~18.04.4+esm1 golang-1.16 1.16.2-0ubuntu1~18.04.2+esm1 golang-1.16-go 1.16.2-0ubuntu1~18.04.2+esm1 golang-1.16-src 1.16.2-0ubuntu1~18.04.2+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): golang-1.13 1.13.8-1ubuntu1~16.04.3+esm3 golang-1.13-go 1.13.8-1ubuntu1~16.04.3+esm3 golang-1.13-src 1.13.8-1ubuntu1~16.04.3+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6038-2 https://ubuntu.com/security/notices/USN-6038-1 CVE-2022-1705, CVE-2022-27664, CVE-2022-28131, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41717, CVE-2023-24534, CVE-2023-24537, CVE-2023-24538 Package Information: https://launchpad.net/ubuntu/+source/golang-1.13/1.13.8-1ubuntu2.22.04.2 https://launchpad.net/ubuntu/+source/golang-1.13/1.13.8-1ubuntu1.2 https://launchpad.net/ubuntu/+source/golang-1.16/1.16.2-0ubuntu1~20.04.1
OpenPGP_0x96F770C739BC5ACE.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
