Search for packages
| purl | pkg:deb/debian/golang-1.11@1.11.5-1 |
| Next non-vulnerable version | 1.11.6-1+deb10u4 |
| Latest non-vulnerable version | 1.11.6-1+deb10u4 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7ahs-f1qh-g7an
Aliases: CVE-2021-3114 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. |
Affected by 0 other vulnerabilities. |
|
VCID-dwge-3up7-yyaq
Aliases: CVE-2020-16845 GHSA-q6gq-997w-f55g |
Withdrawn Advisory: Infinite loop in xz ### Withdrawn Advisory This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time. ### Original Description Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. |
Affected by 0 other vulnerabilities. |
|
VCID-hbte-dsw2-y7ad
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
Affected by 4 other vulnerabilities. |
|
VCID-n66u-b73u-zucb
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
Affected by 4 other vulnerabilities. |
|
VCID-ry9q-vr9h-cbg2
Aliases: CVE-2020-7919 GHSA-cjjc-xp8v-855w |
Helm uses crypto package vulnerable to panic from malformed X.509 certificate The Helm core maintainers have identified a high severity security vulnerability in Go's `crypto` package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0. Thanks to @ravin9249 for identifying the vulnerability. ### Impact Go before 1.12.16 and 1.13.x before 1.13.7 (and the `crypto/cryptobyte` package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service. ### Patches A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+. ### Workarounds No workaround is available. Users are urged to upgrade. ### References - https://nvd.nist.gov/vuln/detail/CVE-2020-7919 - https://github.com/helm/helm/pull/8288 ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Helm repository](https://github.com/helm/helm/issues) * For security-specific issues, email us at <cncf-helm-security@lists.cncf.io> |
Affected by 0 other vulnerabilities. |
|
VCID-tj5a-dbam-gygg
Aliases: CVE-2019-16276 |
golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling |
Affected by 4 other vulnerabilities. |
|
VCID-vkfy-p7zg-g3eb
Aliases: CVE-2019-17596 |
golang: invalid public key causes panic in dsa.Verify |
Affected by 4 other vulnerabilities. |
|
VCID-w9qm-pwnh-4ydj
Aliases: CVE-2020-15586 |
golang: data race in certain net/http servers including ReverseProxy can lead to DoS |
Affected by 0 other vulnerabilities. |
|
VCID-zvbg-n1t4-ckg9
Aliases: CVE-2019-14809 |
golang: malformed hosts in URLs leads to authorization bypass |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||