From nobody Wed Feb 15 19:07:08 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PH6yN5Lg8z3rCGx;
	Wed, 15 Feb 2023 19:07:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PH6yN4rFkz4Cg8;
	Wed, 15 Feb 2023 19:07:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1676488028;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uWRI2sGGYGqYgKV3790YiW+BsfmC7uVHFmuLm2O2d4Q=;
	b=XtbuCSiQUL5OnvjMOBFaVMPJsXbk0z1+uJ2Vn6Z2dQQiBSxeqtekBffgGaUbioPRaLW6Hy
	g0KNtEPBfRIG0w9KzK+8evyZ1U9YmXpBCfdODPJmNJXXPsEuNchSdwZE0yaTa6dZRk/ZEd
	OJ9ZaH9t2ojMzp6NZ7cK2SvWqbXRFFJCVnGPEqo180bcSFdRqi4zWLJpeZwOTNVGr5qyAC
	bhr4iClKaZxjQJJoVBlGbIiiTVQIMGowREphZ/iOgVAVtNyoi/ibE7wPI/DxOn1qWl246j
	RmYMrgmpFhPZYyKYnj7MUVC1+n56HcCX5OYOdeRaQMI/Ga5yTyMwxKWy+iJZ2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1676488028;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uWRI2sGGYGqYgKV3790YiW+BsfmC7uVHFmuLm2O2d4Q=;
	b=bRzdGiaNa8bbQupENV1Svr+aMTmIM9cntEguGt6DaLpUWDgGA/MiL9V4/nh6i9HyRsB3LT
	cYQBqhTQEZ5NJMtjUkdnvLyVjN4TQqFqnhLKD4hSsjOjMXulOcvsQklYOKtXYcIZ2RJFeQ
	jSRL08b8E50iWDofzNXn9QTvN7hHNH70+j1fmTagBArSlUKrQFdlfNrFexjaXauWcExAd0
	g7vG/bdOhyqwIZBHFFdd+HAyC5V5t5PlbmlgEMQREhCMktwx4o8BLdznyDgj+U40W9ANKQ
	F8mWWotQDEv0vWqmB+oRKT4oUoAc0Xo61T7xy6TjFM80P9Ji3jXRd+hDjyMyvw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676488028; a=rsa-sha256; cv=none;
	b=I7WFWywSoFzoIwxzu2JodsTuNdxO4BbVR4cjR3VMnwiArpDVSS9YnzqphfTBTWNVQCQMaI
	FFoFjLCNwI+1TyMMriJKYtIlPyMOf/e+8uYS1r41niEPkmPIbv5J2+OkTI/Qv+dQPdpB1Q
	967M2vdnX/YbFO1hjkaUHYB+k1w2uvwu7gGhu2X+hgmwxSmxco1BGjWmUDBBhafoOkNvid
	RoRzgWlOKjCezyWmPm7pUHFj6lDZowrDujxAM+M+gP3LeGBWv7ppUg26znEatzG5kQUa4p
	IcRqyChMEantsNBlgAtLwm3UMLiZUraGXuOKQ7IyDFPZygwlk6c7jDosKNA17A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PH6yN3vS0zbJb;
	Wed, 15 Feb 2023 19:07:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31FJ78DF004621;
	Wed, 15 Feb 2023 19:07:08 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31FJ782L004620;
	Wed, 15 Feb 2023 19:07:08 GMT
	(envelope-from git)
Date: Wed, 15 Feb 2023 19:07:08 GMT
Message-Id: <202302151907.31FJ782L004620@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Dmitri Goutnik <dmgk@FreeBSD.org>
Subject: git: e71f23f26d49 - main - security/vuxml: Document Go vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: dmgk
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e71f23f26d49451cbe16367b780986365ba2bc71
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by dmgk:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e71f23f26d49451cbe16367b780986365ba2bc71

commit e71f23f26d49451cbe16367b780986365ba2bc71
Author:     Dmitri Goutnik <dmgk@FreeBSD.org>
AuthorDate: 2023-02-15 11:25:37 +0000
Commit:     Dmitri Goutnik <dmgk@FreeBSD.org>
CommitDate: 2023-02-15 19:06:01 +0000

    security/vuxml: Document Go vulnerabilities
---
 security/vuxml/vuln/2023.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index af1d214ee9ba..f6e27560c24e 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,67 @@
+  <vuln vid="3d73e384-ad1f-11ed-983c-83fe35862e3a">
+    <topic>go -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>go119</name>
+	<range><lt>1.19.6</lt></range>
+      </package>
+      <package>
+	<name>go120</name>
+	<range><lt>1.20.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Go project reports:</p>
+	<blockquote cite="https://go.dev/issue/57274">
+	  <p>path/filepath: path traversal in filepath.Clean on Windows</p>
+	  <p>On Windows, the filepath.Clean function could transform
+	    an invalid path such as a/../c:/b into the valid path
+	    c:\b. This transformation of a relative (if invalid)
+	    path into an absolute path could enable a directory
+	    traversal attack. The filepath.Clean function will now
+	    transform this path into the relative (but still
+	    invalid) path .\c:\b.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/58006">
+	  <p>net/http, mime/multipart: denial of service from excessive
+	    resource consumption</p>
+	  <p>Multipart form parsing with
+	    mime/multipart.Reader.ReadForm can consume largely
+	    unlimited amounts of memory and disk files. This also
+	    affects form parsing in the net/http package with the
+	    Request methods FormFile, FormValue, ParseMultipartForm,
+	    and PostFormValue.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/58001">
+	  <p>crypto/tls: large handshake records may cause panics</p>
+	  <p>
+	    Both clients and servers may send large TLS handshake
+	    records which cause servers and clients,
+	    respectively, to panic when attempting to construct responses.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/57855">
+	  <p>net/http: avoid quadratic complexity in HPACK decoding</p>
+	  <p>A maliciously crafted HTTP/2 stream could cause
+	    excessive CPU consumption in the HPACK decoder,
+	    sufficient to cause a denial of service from a small
+	    number of small requests.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-41722</cvename>
+      <cvename>CVE-2022-41725</cvename>
+      <cvename>CVE-2022-41724</cvename>
+      <cvename>CVE-2022-41723</cvename>
+      <url>https://groups.google.com/g/golang-dev/c/G2APtTxT1HQ/m/6O6aksDaBAAJ</url>
+    </references>
+    <dates>
+      <discovery>2023-02-14</discovery>
+      <entry>2023-02-15</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9c9ee9a6-ac5e-11ed-9323-080027d3a315">
     <topic>Django -- multiple vulnerabilities</topic>
     <affects>