https://github.com/golang/go/issues/42559

https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

[trafficcontrol-issues] 20201112 [GitHub] [trafficcontrol] zrhoffman opened a new pull request #5278: Update Go version to 1.15.5

FEDORA-2020-e971480183

FEDORA-2020-864922e78a

https://security.netapp.com/advisory/ntap-20201202-0004/

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code     Injection.(CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows     Argument Injection.(CVE-2020-28367)

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of attribute namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29509)

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of element namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29511)

  - The encoding/xml package in Go versions 1.15 and     earlier does not correctly preserve the semantics of     directives during tokenization round-trips, which     allows an attacker to craft inputs that behave in     conflicting ways during different stages of processing     in affected downstream applications.(CVE-2020-29510)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the golang packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code     Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows     Argument Injection.(CVE-2020-28367)

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of attribute namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29509)

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of attribute namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29511)

  - The encoding/xml package in Go versions 1.15 and     earlier does not correctly preserve the semantics of     directives during tokenization round-trips, which     allows an attacker to craft inputs that behave in     conflicting ways during different stages of processing     in affected downstream applications.(CVE-2020-29510)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:5493 advisory.

  - golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS (CVE-2020-24553)

  - golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

  - golang: malicious symbol names can lead to code execution at build time (CVE-2020-28366)

  - golang: improper validation of cgo flags can lead to code execution at build time (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code     Injection.(CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows     Argument Injection.(CVE-2020-28367)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of golang installed on the remote host is prior to 1.15.5-1.65. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1471 advisory.

  - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. (CVE-2020-28362)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1578 advisory.

  - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. (CVE-2020-28362)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of attribute namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29509)

  - The encoding/xml package in Go versions 1.15 and     earlier does not correctly preserve the semantics of     directives during tokenization round-trips, which     allows an attacker to craft inputs that behave in     conflicting ways during different stages of processing     in affected downstream applications.(CVE-2020-29510)

  - The encoding/xml package in Go (all versions) does not     correctly preserve the semantics of element namespace     prefixes during tokenization round-trips, which allows     an attacker to craft inputs that behave in conflicting     ways during different stages of processing in affected     downstream applications.(CVE-2020-29511)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows     Argument Injection.(CVE-2020-28367)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code     Injection.(CVE-2020-28366)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5493 advisory.

  - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. (CVE-2020-28362)

  - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI     handlers that lack a Content-Type header. (CVE-2020-24553)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1471 advisory.

  - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. (CVE-2020-28362)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This plugin has been deprecated due to Amazon pulling the previously published advisory.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5493 advisory.

  - golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS (CVE-2020-24553)

  - golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

  - golang: malicious symbol names can lead to code execution at build time (CVE-2020-28366)

  - golang: improper validation of cgo flags can lead to code execution at build time (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

- Rebase to go1.14.13

  - Security fix for CVE-2020-28362, CVE-2020-28367 and     CVE-2020-28366

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the go package has been released.

This update for go1.15 fixes the following issues :

go1.15.5 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages.

  - go#42553 math/big: panic during recursive division of     very large numbers (bsc#1178750 CVE-2020-28362)

  - go#42560 cmd/go: arbitrary code can be injected into cgo     generated files (bsc#1178752 CVE-2020-28367)

  - go#42557 cmd/go: improper validation of cgo flags can     lead to remote code execution at build time (bsc#1178753     CVE-2020-28366)

  - go#42169 cmd/compile, runtime, reflect: pointers to     go:notinheap types must be stored indirectly in     interfaces

  - go#42151 cmd/cgo: opaque struct pointers are broken     since Go 1.15.3

  - go#42138 time: Location interprets wrong timezone (DST)     with slim zoneinfo

  - go#42113 x/net/http2: the first write error on a     connection will cause all subsequent write requests to     fail blindly

  - go#41914 net/http: request.Clone doesn't deep copy     TransferEncoding

  - go#41704 runtime: macOS syscall.Exec can get SIGILL due     to preemption signal

  - go#41463 compress/flate: deflatefast produces corrupted     output

  - go#41387 x/net/http2: connection-level flow control not     returned if stream errors, causes server hang

  - go#40974 cmd/link: sectionForAddress(0xA9D67F) address     not in any section file

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.14 fixes the following issues :

go1.14.12 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages.

  - go#42553 math/big: panic during recursive division of     very large numbers (bsc#1178750 CVE-2020-28362)

  - go#42560 cmd/go: arbitrary code can be injected into cgo     generated files (bsc#1178752 CVE-2020-28367)

  - go#42557 cmd/go: improper validation of cgo flags can     lead to remote code execution at build time (bsc#1178753     CVE-2020-28366)

  - go#42155 time: Location interprets wrong timezone (DST)     with slim zoneinfo

  - go#42112 x/net/http2: the first write error on a     connection will cause all subsequent write requests to     fail blindly

  - go#41991 runtime: macOS-only segfault on 1.14+ with     'split stack overflow'

  - go#41913 net/http: request.Clone doesn't deep copy     TransferEncoding

  - go#41703 runtime: macOS syscall.Exec can get SIGILL due     to preemption signal

  - go#41386 x/net/http2: connection-level flow control not     returned if stream errors, causes server hang

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5333 advisory.

  - golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

  - golang: malicious symbol names can lead to code execution at build time (CVE-2020-28366)

  - golang: improper validation of cgo flags can lead to code execution at build time (CVE-2020-28367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for go1.15 fixes the following issues :

  - go1.15.5 (released 2020-11-12) includes security fixes     to the cmd/go and math/big packages.

  - go#42553 math/big: panic during recursive division of     very large numbers (bsc#1178750 CVE-2020-28362)

  - go#42560 cmd/go: arbitrary code can be injected into cgo     generated files (bsc#1178752 CVE-2020-28367)

  - go#42557 cmd/go: improper validation of cgo flags can     lead to remote code execution at build time (bsc#1178753     CVE-2020-28366)

  - go#42169 cmd/compile, runtime, reflect: pointers to     go:notinheap types must be stored indirectly in     interfaces

  - go#42151 cmd/cgo: opaque struct pointers are broken     since Go 1.15.3

  - go#42138 time: Location interprets wrong timezone (DST)     with slim zoneinfo

  - go#42113 x/net/http2: the first write error on a     connection will cause all subsequent write requests to     fail blindly

  - go#41914 net/http: request.Clone doesn't deep copy     TransferEncoding

  - go#41704 runtime: macOS syscall.Exec can get SIGILL due     to preemption signal

  - go#41463 compress/flate: deflatefast produces corrupted     output

  - go#41387 x/net/http2: connection-level flow control not     returned if stream errors, causes server hang

  - go#40974 cmd/link: sectionForAddress(0xA9D67F) address     not in any section file

This update for go1.14 fixes the following issues :

  - go1.14.12 (released 2020-11-12) includes security fixes     to the cmd/go and math/big packages.

  - go#42553 math/big: panic during recursive division of     very large numbers (bsc#1178750 CVE-2020-28362)

  - go#42560 cmd/go: arbitrary code can be injected into cgo     generated files (bsc#1178752 CVE-2020-28367)

  - go#42557 cmd/go: improper validation of cgo flags can     lead to remote code execution at build time (bsc#1178753     CVE-2020-28366)

  - go#42155 time: Location interprets wrong timezone (DST)     with slim zoneinfo

  - go#42112 x/net/http2: the first write error on a     connection will cause all subsequent write requests to     fail blindly

  - go#41991 runtime: macOS-only segfault on 1.14+ with     'split stack overflow'

  - go#41913 net/http: request.Clone doesn't deep copy     TransferEncoding

  - go#41703 runtime: macOS syscall.Exec can get SIGILL due     to preemption signal

  - go#41386 x/net/http2: connection-level flow control not     returned if stream errors, causes server hang

This update was imported from the SUSE:SLE-15:Update update project.

- Rebase to go1.15.5

  - Security fix for CVE-2020-28362, CVE-2020-28367 and     CVE-2020-28366

----

  - Rebase to go1.15.4

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Go project reports :

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names.

ID	Name	Product	Family	Severity
148062	EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-1678)	Nessus	Huawei Local Security Checks	medium
147555	EulerOS Virtualization 3.0.6.6 : golang (EulerOS-SA-2021-1480)	Nessus	Huawei Local Security Checks	medium
145933	CentOS 8 : go-toolset:rhel8 (CESA-2020:5493)	Nessus	CentOS Local Security Checks	medium
145749	EulerOS 2.0 SP8 : golang (EulerOS-SA-2021-1144)	Nessus	Huawei Local Security Checks	medium
144999	Amazon Linux AMI : golang (ALAS-2021-1471)	Nessus	Amazon Linux Local Security Checks	medium
144801	Amazon Linux 2 : golang (ALAS-2021-1578)	Nessus	Amazon Linux Local Security Checks	medium
144699	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-1025)	Nessus	Huawei Local Security Checks	medium
144686	EulerOS : golang (EulerOS-SA-2021-1006)	Nessus	Huawei Local Security Checks	medium
144562	Oracle Linux 8 : go-toolset:ol8 (ELSA-2020-5493)	Nessus	Oracle Linux Local Security Checks	medium
144460	Amazon Linux AMI : golang (ALAS-2020-1471) (deprecated)	Nessus	Amazon Linux Local Security Checks	medium
144407	RHEL 8 : go-toolset:rhel8 (RHSA-2020:5493)	Nessus	Red Hat Local Security Checks	medium
144315	Fedora 32 : golang (2020-e971480183)	Nessus	Fedora Local Security Checks	medium
144064	Photon OS 3.0: Go PHSA-2020-3.0-0173	Nessus	PhotonOS Local Security Checks	medium
143660	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2020:3368-1)	Nessus	SuSE Local Security Checks	medium
143648	SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2020:3369-1)	Nessus	SuSE Local Security Checks	medium
143469	RHEL 7 : go-toolset-1.14-golang (RHSA-2020:5333)	Nessus	Red Hat Local Security Checks	medium
143457	openSUSE Security Update : go1.15 (openSUSE-2020-2139)	Nessus	SuSE Local Security Checks	medium
143337	openSUSE Security Update : go1.14 (openSUSE-2020-2047)	Nessus	SuSE Local Security Checks	medium
143311	openSUSE Security Update : go1.14 (openSUSE-2020-2067)	Nessus	SuSE Local Security Checks	medium
143188	Fedora 33 : golang (2020-864922e78a)	Nessus	Fedora Local Security Checks	medium
142883	FreeBSD : go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo (db4b2f27-252a-11eb-865c-00155d646400)	Nessus	FreeBSD Local Security Checks	medium

CVE-2020-28366

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium