summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2019-17596
Origin: https://github.com/golang/go/commit/
2017d88dbc096381d4f348d2fb08bfb3c2b7ed73
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12
From
2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Mon Sep 17 00:00:00 2001
From: Katie Hockman <katie@golang.org>
Date: Mon, 14 Oct 2019 16:42:21 -0400
Subject: [PATCH] [release-branch.go1.12-security] crypto/dsa: prevent bad
public keys from causing panic
dsa.Verify might currently use a nil s inverse in a
multiplication if the public key contains a non-prime Q,
causing a panic. Change this to check that the mod
inverse exists before using it.
Fixes CVE-2019-17596
Change-Id: I94d5f3cc38f1b5d52d38dcb1d253c71b7fd1cae7
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/572809
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit
9119dfb0511326d4485b248b83d4fde19c95d0f7)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575232
Gbp-Pq: Name CVE-2019-17596.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2019-16276
Origin: https://github.com/golang/go/commit/
6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12
From
6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 12 Sep 2019 12:37:36 -0400
Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't
normalize headers with spaces before the colon
RFC 7230 is clear about headers with a space before the colon, like
X-Answer : 42
being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL
5690059 in 2012.
On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.
For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.
This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.
Fixes CVE-2019-16276
Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719
Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
(cherry picked from commit
1280b868e82bf173ea3e988be3092d160ee66082)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Gbp-Pq: Name CVE-2019-16276.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2019-9741
Origin: https://github.com/golang/go/commit/
829c5df58694b3345cb5ea41206783c8ccf5c3ca
Origin: https://github.com/golang/go/commit/
f1d662f34788f4a5f087581d0951cdf4e0f6e708
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12
From
829c5df58694b3345cb5ea41206783c8ccf5c3ca Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Wed, 23 Jan 2019 19:09:07 +0000
Subject: [PATCH] net/url, net/http: reject control characters in URLs
This is a more conservative version of the reverted CL 99135 (which
was reverted in CL 137716)
The net/url part rejects URLs with ASCII CTLs from being parsed and
the net/http part rejects writing them if a bogus url.URL is
constructed otherwise.
Updates #27302
Updates #22907
Change-Id: I09a2212eb74c63db575223277aec363c55421ed8
Reviewed-on: https://go-review.googlesource.com/c/159157
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2019-9741.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2018-16873,16874
Origin: https://github.com/golang/go/commit/
90d609ba6156299642d08afc06d85ab770a03972
Origin: https://github.com/golang/go/commit/
7ef6ee2c5727f0d11206b4d1866c18e6ab4785be
Origin: https://github.com/golang/go/commit/
25bee965c685e3f35c10076648685e22e59fd656
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-04
From
90d609ba6156299642d08afc06d85ab770a03972 Mon Sep 17 00:00:00 2001
From: "Bryan C. Mills" <bcmills@google.com>
Date: Mon, 3 Dec 2018 15:12:08 -0500
Subject: [PATCH] [release-branch.go1.10-security] cmd/go: reject 'get' of
paths containing leading dots or unsupported characters
On some platforms, directories beginning with dot are treated as
hidden files, and filenames containing unusual characters can be
confusing for users to manipulate (and delete).
Change-Id: I443bdeb98e4de24b8a93a75fb923f4d41052e8f7
Reviewed-on: https://team-review.git.corp.google.com/c/368703
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Gbp-Pq: Name CVE-2018-16873,16874.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2017-15041
Origin: https://github.com/golang/go/commit/
9a97c3bfe41d1ed768ea3bd3d8f0f52b8a51bb62
Origin: https://github.com/golang/go/commit/
a4544a0f8af001d1fb6df0e70750f570ec49ccf9
Origin: https://github.com/golang/go/commit/
533ee44cd45c064608ee2b833af9e86ef1cb294e
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-02
From
9a97c3bfe41d1ed768ea3bd3d8f0f52b8a51bb62 Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Thu, 13 Oct 2016 13:45:31 -0400
Subject: [PATCH] cmd/go: accept plain file for .vcs (instead of directory)
Sometimes .git is a plain file; maybe others will follow.
This CL matches CL 21430, made in x/tools/go/vcs.
The change in the Swift test case makes the test case
pass by changing the test to match current behavior,
which I assume is better than the reverse.
(The test only runs locally and without -short, so the
builders are not seeing this particular failure.)
For #10322.
Change-Id: Iccd08819a01c5609a2880b9d8a99af936e20faff
Reviewed-on: https://go-review.googlesource.com/30948
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Gbp-Pq: Name CVE-2017-15041.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2020-15586
===================================================================
Gbp-Pq: Name CVE-2020-15586.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2020-16845
Gbp-Pq: Name CVE-2020-16845.patch
Ian Lance Taylor [Thu, 15 Feb 2018 23:57:13 +0000 (15:57 -0800)]
[PATCH] cmd/go: restrict meta imports to valid schemes
Before this change, when using -insecure, we permitted any meta import
repo root as long as it contained "://". When not using -insecure, we
restrict meta import repo roots to be valid URLs. People may depend on
that somehow, so permit meta import repo roots to be invalid URLs, but
require them to have valid schemes per RFC 3986.
Fixes #23867
Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
Reviewed-on: https://go-review.googlesource.com/94603
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Gbp-Pq: Name cve-2018-7187.patch
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
cve-2019-6486
Gbp-Pq: Name cve-2019-6486.patch
Alberto Donizetti [Thu, 9 Mar 2017 12:20:54 +0000 (13:20 +0100)]
[PATCH] time: make the ParseInLocation test more robust
The tzdata 2017a update (2017-02-28) changed the abbreviation of the
Asia/Baghdad time zone (used in TestParseInLocation) from 'AST' to the
numeric '+03'.
Update the test so that it skips the checks if we're using a recent
tzdata release.
Fixes #19457
Change-Id: I45d705a5520743a611bdd194dc8f8d618679980c
Reviewed-on: https://go-review.googlesource.com/37964
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Gbp-Pq: Name cl-37964--tzdata-2017a.patch
Alberto Donizetti [Thu, 29 Sep 2016 11:59:10 +0000 (13:59 +0200)]
[PATCH] time: update test for tzdata-2016g
From
c5434f2973a87acff76bac359236e690d632ce95 Mon Sep 17 00:00:00 2001
Origin: https://golang.org/cl/29995
Bug: https://golang.org/issue/17276
Applied-Upstream: 1.8
Fixes #17276
Change-Id: I0188cf9bc5fdb48c71ad929cc54206d03e0b96e4
Reviewed-on: https://go-review.googlesource.com/29995
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Gbp-Pq: Name cl-29995--tzdata-2016g.patch
Sylvain Beucler [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
golang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-15041: Go allows "go get" remote command execution. Using
custom domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the Subversion
repository includes a Git checkout in its pkg2 directory and some
other work is done to ensure the proper ordering of operations, "go
get" can be tricked into reusing this Git checkout for the fetch of
code from pkg2. If the Subversion repository's Git checkout has
malicious commands in .git/hooks/, they will execute on the system
running "go get."
* CVE-2018-16873: the "go get" command is vulnerable to remote code
execution when executed with the -u flag and the import path of a
malicious Go package, as it may treat the parent directory as a Git
repository root, containing malicious configuration.
* CVE-2018-16874: the "go get" command is vulnerable to directory
traversal when executed with the import path of a malicious Go package
which contains curly braces (both '{' and '}' characters). The
attacker can cause an arbitrary filesystem write, which can lead to
code execution.
* CVE-2019-9741: in net/http, CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.
* CVE-2019-16276: Go allows HTTP Request Smuggling.
* CVE-2019-17596: Go can panic upon an attempt to process network
traffic containing an invalid DSA public key. There are several attack
scenarios, such as traffic from a client to a server that verifies
client certificates.
* CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs,
related to an underflow of the lowest limb during the final complete
reduction in the P-224 field.
[dgit import unpatched golang-1.7 1.7.4-2+deb9u3]
Sylvain Beucler [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
Import golang-1.7_1.7.4-2+deb9u3.debian.tar.xz
[dgit import tarball golang-1.7 1.7.4-2+deb9u3 golang-1.7_1.7.4-2+deb9u3.debian.tar.xz]
Tianon Gravi [Fri, 2 Dec 2016 21:30:36 +0000 (21:30 +0000)]
Import golang-1.7_1.7.4.orig.tar.gz
[dgit import orig golang-1.7_1.7.4.orig.tar.gz]
projects / golang-1.7.git / log