FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- multiple vulnerabilities

Affected packages
go118 < 1.18.6
go119 < 1.19.1

Details

VuXML ID 6fea7103-2ea4-11ed-b403-3dae8ac60d3e
Discovery 2022-09-06
Entry 2022-09-07

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.

References

CVE Name CVE-2022-27664
CVE Name CVE-2022-32190
URL https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ