FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-08 09:03:38 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
b1b039ec-dbfc-11ee-9165-901b0e9408dc	go -- multiple vulnerabilities The Go project reports reports: crypto/x509: Verify panics on certificates with an unknown public key algorithm Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. net/http: memory exhaustion in Request.ParseMultipartForm When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. html/template: errors returned from MarshalJSON methods may break template escaping If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. net/mail: comments in display names are incorrectly handled The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Discovery 2024-03-05 Entry 2024-03-06 go122 < 1.22.1 go121 < 1.21.8 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg/m/46oA5yPABQAJ
cdb5e0e3-fafc-11ee-9c21-901b0e9408dc	go -- http2: close connections when receiving too many headers The Go project reports: http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Discovery 2024-04-03 Entry 2024-04-15 go122 < 1.22.2 go121 < 1.21.9 CVE-2023-45288 https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ

VuXML ID

Description

b1b039ec-dbfc-11ee-9165-901b0e9408dc

go -- multiple vulnerabilities

The Go project reports reports:

crypto/x509: Verify panics on certificates with an unknown public key algorithm

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

net/http: memory exhaustion in Request.ParseMultipartForm

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

html/template: errors returned from MarshalJSON methods may break template escaping

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

net/mail: comments in display names are incorrectly handled

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

Discovery 2024-03-05
Entry 2024-03-06
go122

< 1.22.1

go121

< 1.21.8

CVE-2023-45289
CVE-2023-45290
CVE-2024-24783
CVE-2024-24784
CVE-2024-24785
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg/m/46oA5yPABQAJ

cdb5e0e3-fafc-11ee-9c21-901b0e9408dc

go -- http2: close connections when receiving too many headers

The Go project reports:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

Discovery 2024-04-03
Entry 2024-04-15
go122

< 1.22.2

go121

< 1.21.9

CVE-2023-45288
https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ