what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ubuntu Security Notice USN-6038-1

Ubuntu Security Notice USN-6038-1
Posted Apr 25, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.

tags | advisory, remote, web, denial of service
systems | linux, ubuntu
advisories | CVE-2022-1705, CVE-2022-28131, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30630, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148, CVE-2022-41717, CVE-2023-24534, CVE-2023-24538
SHA-256 | d693c7af1fb087931225b61859ba4862bde511f2a7551346eb8eb6777bf0309d

Ubuntu Security Notice USN-6038-1

Change Mirror Download
=========================================================================
Ubuntu Security Notice USN-6038-1
April 25, 2023

golang-1.18 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Go.

Software Description:
- golang-1.18: Go programming language compiler - metapackage

Details:

It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)

It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)

It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An attacker could possibly use this issue to
cause a panic resulting into a denial of service. (CVE-2022-2879)

It was discovered that the Go net/http module incorrectly handled query
parameters in requests forwarded by ReverseProxy. A remote attacker could
possibly use this issue to perform an HTTP Query Parameter Smuggling attack.
(CVE-2022-2880)

It was discovered that Go did not properly manage the permissions for
Faccessat function. A attacker could possibly use this issue to expose
sensitive information. (CVE-2022-29526)

It was discovered that Go did not properly generate the values for
ticket_age_add in session tickets. An attacker could possibly use this
issue to observe TLS handshakes to correlate successive connections by
comparing ticket ages during session resumption. (CVE-2022-30629)

It was discovered that Go did not properly manage client IP addresses in
net/http. An attacker could possibly use this issue to cause ReverseProxy
to set the client IP as the value of the X-Forwarded-For header.
(CVE-2022-32148)

It was discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and do not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
golang-1.18 1.18.1-1ubuntu1.1
golang-1.18-go 1.18.1-1ubuntu1.1
golang-1.18-src 1.18.1-1ubuntu1.1

Ubuntu 20.04 LTS:
golang-1.18 1.18.1-1ubuntu1~20.04.2
golang-1.18-go 1.18.1-1ubuntu1~20.04.2
golang-1.18-src 1.18.1-1ubuntu1~20.04.2

Ubuntu 18.04 LTS:
golang-1.18 1.18.1-1ubuntu1~18.04.4
golang-1.18-go 1.18.1-1ubuntu1~18.04.4
golang-1.18-src 1.18.1-1ubuntu1~18.04.4

In general, a standard system update will make all the necessary changes.
You still need to update all the packages built with the affected version.

References:
https://ubuntu.com/security/notices/USN-6038-1
CVE-2022-1705, CVE-2022-1962, CVE-2022-27664, CVE-2022-28131,
CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629,
CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633,
CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537, CVE-2023-24538

Package Information:
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~20.04.2
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~18.04.4
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close