From nobody Fri Dec 10 02:37:55 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2B81718E7886; Fri, 10 Dec 2021 02:37:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J9FSM6BYpz4tWl; Fri, 10 Dec 2021 02:37:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B443012B1C; Fri, 10 Dec 2021 02:37:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BA2bt4k061369; Fri, 10 Dec 2021 02:37:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BA2btGC061368; Fri, 10 Dec 2021 02:37:55 GMT (envelope-from git) Date: Fri, 10 Dec 2021 02:37:55 GMT Message-Id: <202112100237.1BA2btGC061368@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Guangyuan Yang Subject: git: cf5e0ff86377 - main - security/vuxml: Document lang/go vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ygy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cf5e0ff8637758f3b42646ca5f594e3c3905e5d6 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639103875; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mPCFliidBH+hdjN6vJAlFZQ8i0vnsAgOkkVItWmFS2w=; b=HJo4zAX7przoOdzTcQW1rji3ZLc5qVG+xG/vKs26ps4OSlv3HI+NNR8UHlOd4Hx44/jfit c3cheK6c16qOMHXLX9aocAiwPWrLgNB/iZB2Ste4XDVEqa9QYP0G4pSADqOMz7mxa/7UDy M1sjYNMK4dFtLEraKbMZlocQi2TXm7JM3K6XIrVr6xE7U8XHcuoyh2jXwUs/FF6uPIYYsy KMnC6bqI36N8uw4j11nDxcT0cPjCUEHlPpLD6Vk82RHEp+rpVPQxRvSZPABZQy/lTThVhr ODsBiOf+MmAdH121yL4z85wu35EsWFFieH9gSraAeTR9/1kztLC8az6s8b32FA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639103875; a=rsa-sha256; cv=none; b=OXxe1UxGY3jrjX2hsCwB3nEUNHMpmq00kKRNDr8pWHTE8YjjUQ7DxvIPuTsTQDxTCIrrPq WcEsXmiaHDxIelvcMVSwvgNnxy5WciVIkYtb5T/EyoHhvuPenkxWUGBXXgKYuGz8Uwndvg 7TMVRCMsZbHcrTBoIJFk8YdMjYRA9J5IFxzFzRxDav8Ep3beXWquFdfYcv6/dOPk2T8kTz 4IcSq2rveM8nzqq4ZFCwSRXZLfSKhW7RNdhqQekfeq860qmPJlAS2H1DT2X8zp4qY8VvT8 x1AvnEbLQM7rJ5KxC5SDjPlnNC+kWmz32f6/67zXZiGwC6XufnjYIolaqe+ekg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by ygy: URL: https://cgit.FreeBSD.org/ports/commit/?id=cf5e0ff8637758f3b42646ca5f594e3c3905e5d6 commit cf5e0ff8637758f3b42646ca5f594e3c3905e5d6 Author: Guangyuan Yang AuthorDate: 2021-12-10 02:36:34 +0000 Commit: Guangyuan Yang CommitDate: 2021-12-10 02:36:34 +0000 security/vuxml: Document lang/go vulnerabilities --- security/vuxml/vuln-2021.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 43b87c9ef03c..8387a7630752 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,43 @@ + + go -- multiple vulnerabilities + + + go + 1.17.5,1 + + + + +

The Go project reports:

+
+

net/http: limit growth of header canonicalization cache. An + attacker can cause unbounded memory growth in a Go server accepting + HTTP/2 requests.

+
+
+

syscall: don’t close fd 0 on ForkExec error. When a Go program + running on a Unix system is out of file descriptors and calls + syscall.ForkExec (including indirectly by using the os/exec + package), syscall.ForkExec can close file descriptor 0 as it fails. + If this happens (or can be provoked) repeatedly, it can result in + misdirected I/O such as writing network traffic intended for one + connection to a different connection, or content intended for one + file to a different one.

+
+ + + + CVE-2021-44716 + https://github.com/golang/go/issues/50058 + CVE-2021-44717 + https://github.com/golang/go/issues/50057 + + + 2021-12-08 + 2021-12-09 + + + chromium -- multiple vulnerabilities