14 lines
1.7 KiB
JSON
14 lines
1.7 KiB
JSON
{
|
|
"id": "openEuler-SA-2023-1935",
|
|
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1935",
|
|
"title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
|
|
"severity": "Important",
|
|
"description": ".\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.(CVE-2023-39326)\r\n\r\nUsing go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).(CVE-2023-45285)",
|
|
"cves": [
|
|
{
|
|
"id": "CVE-2023-45285",
|
|
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45285",
|
|
"severity": "Moderate"
|
|
}
|
|
]
|
|
} |