From nobody Tue Oct 04 20:57:27 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MhqlX1dWdz4dhLV; Tue, 4 Oct 2022 20:57:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MhqlX14wMz3GPk; Tue, 4 Oct 2022 20:57:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664917048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RekfS4cjZX3KAGN1ZM/um6AAUV1Y/DrCZZ+cTzbblhQ=; b=VhyYY/nFVqev/23t3knpFKUivIInwtKBlS7TwbaPecnRQDbOugp2ZSzIAJo5MaZe2tLY7y l4x2ZOO6RpvNAsFBKnig92QnuXBvs3xL2/71q+kFBWL0eCB/3eqvqmOEShI3lDXVuP2XpO McWbJvKz02QHw5xTkyvOjZIH4QDRohJ21eDggDm6GEoLhQ1jpJvFEBvm2umkAHxmEVIRyH kzavm2rw/LD63vD0+QKCkB+oO8c6T3eWyRrxbsixbtGhHAfoj74YYMjhG1mRh4szeuok05 T64vLv+nY+lddrBGyD2o1/eBg0rUJs5CA/rIXhIbm8lMhrsswXCmRu9aRMWwfg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MhqlX05XJzh2r; Tue, 4 Oct 2022 20:57:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 294KvRg9086492; Tue, 4 Oct 2022 20:57:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 294KvRRp086491; Tue, 4 Oct 2022 20:57:27 GMT (envelope-from git) Date: Tue, 4 Oct 2022 20:57:27 GMT Message-Id: <202210042057.294KvRRp086491@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dmitri Goutnik Subject: git: f1d8b3346b6a - main - security/vuxml: Document Go vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dmgk X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f1d8b3346b6ad98a622ec17b6a4cfe32ae3c4936 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664917048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RekfS4cjZX3KAGN1ZM/um6AAUV1Y/DrCZZ+cTzbblhQ=; b=PnhW0iMHgep+/nDq1JhqZ29OncCnq0NP2V4ssF5d06ll5Z5m+XraWqDHZFV81EZR6H4BU8 RZtoWdccb2Y/pXt9TMVLtSDEmge+8nODXcYYcJkDX7ZCszjZemnX+FWQXCqt64TJF20tIA iOhE5agqGR36boLj/cjollteZoG5VzWU1mmBnJHTGnTMeJYZ5r47BjKC+4PInChdF304rz rJHK1eYvXgJU2lmtXEe2A7BnohmO8vArh/6ACLmpbq8wRTtEfsskQt+sq7yZUHyIQ1hP72 Xckov+cS1ThQEVFYNDzUQ2tVfNSpsCMOUZwpONoOIuMwnVu0IAEn9akPwJ3Nww== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664917048; a=rsa-sha256; cv=none; b=qpxVOgjXiRgxo22cda1Mncjob5pI774TH7+vmT49ajZ8u/aI722CkhFP5OYVOOfv0G5xwd 3w7pkNlLoFitEPVEAkHAfKKXjLW+cuiJNjbH6iY83zFVCHQpBY5S2U/CgEZHShqKSBrNJ3 lktDcHchxYptub6ZHuUXINnV3MzX2/NJw5OskoOiyaLUDlmrxFeQTSHrMI9vAjAjW+ZUSv /yXwNb+ehHO+KTJNkVPQU3ugFSk8CLk62CbFKae9mqBTgS6HudJUiypji/ZILFV4KKGKkn z8hhPpGrADpYL97TY/EUOy4cZlUAs1OfA4uI9wrvCyqsvxaQEUJ+gs80TJDJWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=f1d8b3346b6ad98a622ec17b6a4cfe32ae3c4936 commit f1d8b3346b6ad98a622ec17b6a4cfe32ae3c4936 Author: Dmitri Goutnik AuthorDate: 2022-10-04 20:52:41 +0000 Commit: Dmitri Goutnik CommitDate: 2022-10-04 20:57:19 +0000 security/vuxml: Document Go vulnerabilities --- security/vuxml/vuln-2022.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 75aeb198e88a..d34a0ccdb841 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,69 @@ + + go -- multiple vulnerabilities + + + go118 + 1.18.7 + + + go119 + 1.19.2 + + + + +

The Go project reports:

+
+

archive/tar: unbounded memory consumption when reading + headers

+

Reader.Read did not set a limit on the maximum size of + file headers. A maliciously crafted archive could cause + Read to allocate unbounded amounts of memory, potentially + causing resource exhaustion or panics. Reader.Read now + limits the maximum size of header blocks to 1 MiB.

+
+
+

net/http/httputil: ReverseProxy should not forward + unparseable query parameters

+

Requests forwarded by ReverseProxy included the raw + query parameters from the inbound request, including + unparseable parameters rejected by net/http. This could + permit query parameter smuggling when a Go proxy + forwards a parameter with an unparseable value.

+

ReverseProxy will now sanitize the query parameters in + the forwarded query when the outbound request's Form + field is set after the ReverseProxy.Director function + returns, indicating that the proxy has parsed the query + parameters. Proxies which do not parse query parameters + continue to forward the original query parameters + unchanged.

+
+
+

regexp/syntax: limit memory used by parsing regexps

+

The parsed regexp representation is linear in the size + of the input, but in some cases the constant factor can be + as high as 40,000, making relatively small regexps consume + much larger amounts of memory.

+

Each regexp being parsed is now limited to a 256 MB + memory footprint. Regular expressions whose + representation would use more space than that are now + rejected. Normal use of regular expressions is + unaffected.

+
+ +
+ + CVE-2022-2879 + CVE-2022-2880 + CVE-2022-41715 + https://groups.google.com/g/golang-announce/c/xtuG5faxtaU/m/jEhlI_5WBgAJ + + + 2022-10-04 + 2022-10-04 + +
+ zydis -- heap buffer overflow