OESA-2022-1783

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.(CVE-2022-32148)

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.(CVE-2022-30635)

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (CVE-2022-30634)

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.(CVE-2022-30633)

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.(CVE-2022-30632)

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.(CVE-2022-30631)

As required by RFC 8446, section 4.6.1, ticketageadd now holds arandom 32-bit value. Before this change, this value was always setto 0.(CVE-2022-30629)

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.(CVE-2022-28131)

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.(CVE-2022-1962)

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a chunked encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.(CVE-2022-1705)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / golang

Package

Name: golang
Purl: pkg:rpm/openEuler/golang&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.7-14.oe1

Ecosystem specific

{
    "src": [
        "golang-1.15.7-14.oe1.src.rpm"
    ],
    "x86_64": [
        "golang-1.15.7-14.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "golang-1.15.7-14.oe1.aarch64.rpm"
    ],
    "noarch": [
        "golang-devel-1.15.7-14.oe1.noarch.rpm",
        "golang-help-1.15.7-14.oe1.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / golang

Package

Name: golang
Purl: pkg:rpm/openEuler/golang&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.7-14.oe1

Ecosystem specific

{
    "src": [
        "golang-1.15.7-14.oe1.src.rpm"
    ],
    "x86_64": [
        "golang-1.15.7-14.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "golang-1.15.7-14.oe1.aarch64.rpm"
    ],
    "noarch": [
        "golang-devel-1.15.7-14.oe1.noarch.rpm",
        "golang-help-1.15.7-14.oe1.noarch.rpm"
    ]
}

openEuler:22.03-LTS / golang

Package

Name: golang
Purl: pkg:rpm/openEuler/golang&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.3-5.oe2203

Ecosystem specific

{
    "src": [
        "golang-1.17.3-5.oe2203.src.rpm"
    ],
    "x86_64": [
        "golang-1.17.3-5.oe2203.x86_64.rpm"
    ],
    "aarch64": [
        "golang-1.17.3-5.oe2203.aarch64.rpm"
    ],
    "noarch": [
        "golang-devel-1.17.3-5.oe2203.noarch.rpm",
        "golang-help-1.17.3-5.oe2203.noarch.rpm"
    ]
}