From nobody Thu Sep 07 12:15:06 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RhJ8p69ssz4sTsk; Thu, 7 Sep 2023 12:15:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RhJ8p5lr5z3S6t; Thu, 7 Sep 2023 12:15:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694088906; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DcB6kOdi61ZsFTwGrABM/8N0A1BOdJQt13lznMXmtvk=; b=C3mZn9TTb1oUnRauGLxaJlvY1NGN6XCjt6V8+3UGhccRbKa9tyuVT9x7d2ijUKrXL6slQx 8uYVOHIA2IqMJXLXUtYx0rWP6sL87NmLJl6i0c6009AtcBhN6D2dhe02b35KOZYyxwKGJC nIgyRC3pTL4HvYav1cyX8RUWA1Yd8rj+zqHcTNflSdKzvQ75yf4ElVFRBuYgaqdwIptHFy EqvDCdqgS96ON9udUluGDTr5Dw9ABG7r0Pfshn8V0XSYaS/MklJ9l79AuAtNMwQ3D/tX5/ lELDhllUpVey5cEJ/7E64EcHAGkvRG6Vpg7CxBxxbMgmLADToK12H53+oU+mog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694088906; a=rsa-sha256; cv=none; b=I7ZD+gjbnoLRbJJzJWVPqApBhgtZjG+DQt08iQpy1ejROHjGUsNE2jFZvGtwhmYXRF9+Mv qTj2jKNPKc+6q7QVbaEHPxw7cToZgva9606pJvxmV4gungafio53Ojcsm2GMebQebzLls2 8U+gff9Om9Ow99ztbg5tptFgT7hCrHX2dH71zPXXb+y8IhdVDs/bbIuiSdY2FAyudHQEeU jB6R0A0yY0MiAnK+sY8ZuaebtgCgNi6qpJ3+CJXPjurIO37lsI6HxvqGj9sof/eQOJhVHr XTq37/T6Y79QraR4FRLjwgMzustAUHLBn0szVV4ca1tpJPo6ueuzqUwZgQyrqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694088906; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DcB6kOdi61ZsFTwGrABM/8N0A1BOdJQt13lznMXmtvk=; b=gy8dr70lHc9BYO5BFAS0d0WZ3gm0ljmjYpB5xQPuB7CgXWC2lbKZD9efuDuIp9wnp5y/gN F4YV5L0XCo8b6e4Prt3fY3qT84j5ZCQR5MIUJ3sHHlW5aamK5/Ubroyoo67uLvb8qGIAoP SBFNFGt52mgJdbURp3jqP/fDyRMJxXEJKEFbuLMPdEBbkgMT+5e91bTfAiW9nA0Hc2pqGb lQYN4MRsyPW7WHhHYm2b6w/X3CG6JI0s7/4wUdiM+wMpQoygIWvhAykRmY8kif6vgAqwwv zbtBlSiZgbIbaVGPzVRz8m7WZLSNKzez4aaVw4parNYPseLmcgXiyotbRl1Z+Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RhJ8p4nqTzydd; Thu, 7 Sep 2023 12:15:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 387CF6C9050750; Thu, 7 Sep 2023 12:15:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 387CF6rH050747; Thu, 7 Sep 2023 12:15:06 GMT (envelope-from git) Date: Thu, 7 Sep 2023 12:15:06 GMT Message-Id: <202309071215.387CF6rH050747@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dmitri Goutnik Subject: git: a2d8fbe03a2b - main - security/vuxml: Document Go vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dmgk X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a2d8fbe03a2b95c5ada274e863967eee5f417e7f Auto-Submitted: auto-generated The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=a2d8fbe03a2b95c5ada274e863967eee5f417e7f commit a2d8fbe03a2b95c5ada274e863967eee5f417e7f Author: Dmitri Goutnik AuthorDate: 2023-09-07 12:12:45 +0000 Commit: Dmitri Goutnik CommitDate: 2023-09-07 12:14:26 +0000 security/vuxml: Document Go vulnerabilities --- security/vuxml/vuln/2023.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index abf0da2dff8c..a841b1ad44f8 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,72 @@ + + go -- multiple vulnerabilities + + + go120 + 1.20.8 + + + go121 + 1.21.1 + + + + +

The Go project reports:

+
+

cmd/go: go.mod toolchain directive allows arbitrary + execution

+

The go.mod toolchain directive, introduced in Go 1.21, + could be leveraged to execute scripts and binaries + relative to the root of the module when the "go" command + was executed within the module. This applies to modules + downloaded using the "go" command from the module proxy, + as well as modules downloaded directly using VCS software.

+
+
+

html/template: improper handling of HTML-like comments + within script contexts

+

The html/template package did not properly handle + HMTL-like "<!--" and "-->" + comment tokens, nor hashbang "#!" comment tokens, in + <script> contexts. This may cause the template + parser to improperly interpret the contents of + <script> contexts, causing actions to be improperly + escaped. This could be leveraged to perform an XSS attack.

+
+
+

html/template: improper handling of special tags within + script contexts

+

The html/template package did not apply the proper rules + for handling occurrences + of "<script", "<!--", and "</script" within JS + literals in <script< contexts. This may cause the + template parser to improperly consider script contexts to + be terminated early, causing actions to be improperly + escaped. This could be leveraged to perform an XSS attack.

+
+
+

crypto/tls: panic when processing post-handshake message + on QUIC connections

+

Processing an incomplete post-handshake message for a QUIC + connection caused a panic.

+
+ +
+ + CVE-2023-39320 + CVE-2023-39318 + CVE-2023-39319 + CVE-2023-39321 + CVE-2023-39322 + https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ?pli=1 + + + 2023-09-06 + 2023-09-07 + +
+ FreeBSD -- Wi-Fi encryption bypass