update: go #1117

dongsupark · 2023-07-17T08:29:33Z

Name: go
CVEs: CVE-2023-29406
CVSSs: 6.5
Action Needed: update to >= 1.19.11 or 1.20.6

Summary: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

See also https://groups.google.com/g/golang-announce/c/2q13H6LEEx0.

refmap.gentoo:

dongsupark added security security concerns advisory security advisory labels Jul 17, 2023

github-project-automation bot added this to Flatcar tactical, release planning, and roadmap Jul 17, 2023

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Jul 17, 2023

dongsupark moved this from 📝 Needs Triage to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Jul 17, 2023

dongsupark mentioned this issue Jul 17, 2023

Upgrade Go from 1.19.10 and 1.20.5 to 1.19.11 and 1.20.6 flatcar/scripts#988

Merged

dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Jul 24, 2023

dongsupark closed this as completed in flatcar/scripts#988 Jul 24, 2023

github-project-automation bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Jul 24, 2023

github-actions bot mentioned this issue Nov 10, 2023

Monthly contributions report 2023-07-22 - 2023-08-21 #1246

Closed

dongsupark removed this from Flatcar tactical, release planning, and roadmap Nov 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update: go #1117

update: go #1117

dongsupark commented Jul 17, 2023 •

edited

Loading

update: go #1117

update: go #1117

Comments

dongsupark commented Jul 17, 2023 • edited Loading

dongsupark commented Jul 17, 2023 •

edited

Loading