Headline
CVE-2022-29526: golang-announce - Google Groups
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
0 selected
anno…@golang.org
Jun 10
Go 1.19 Beta 1 is released
Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the
unread,
Go 1.19 Beta 1 is released
Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the
Jun 10
Dmitri Shuralyov
Jun 1
[security] Go 1.18.3 and Go 1.17.11 are released
Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These
unread,
[security] Go 1.18.3 and Go 1.17.11 are released
Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These
Jun 1
Heschi Kreinick
May 10
[security] Go 1.18.2 and Go 1.17.10 are released
Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These
unread,
[security] Go 1.18.2 and Go 1.17.10 are released
Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These
May 10
Dmitri Shuralyov
Apr 13
[security] Go 1.18.1 and Go 1.17.9 are released
Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor
unread,
[security] Go 1.18.1 and Go 1.17.9 are released
Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor
Apr 13
Julie Qiu, Carlos Amedee2
Apr 7
[security] Go 1.18.1 and Go 1.17.9 pre-announcement
Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April
unread,
[security] Go 1.18.1 and Go 1.17.9 pre-announcement
Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April
Apr 7
Heschi Kreinick
Mar 15
Go 1.18 is released
Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release
unread,
Go 1.18 is released
Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release
Mar 15
Filippo Valsorda
Mar 15
An update of golang.org/x/crypto/ssh might be necessary
Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
unread,
An update of golang.org/x/crypto/ssh might be necessary
Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
Mar 15
Carlos Amedee
Mar 3
[security] Go 1.17.8 and Go 1.16.15 are released
Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These
unread,
[security] Go 1.17.8 and Go 1.16.15 are released
Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These
Mar 3
Dmitri Shuralyov
Feb 17
Go 1.18 Release Candidate 1 is released
Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut
unread,
Go 1.18 Release Candidate 1 is released
Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut
Feb 17
Cherry Mui
Feb 11
[security] Go 1.17.7 and Go 1.16.14 are released
Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These
unread,
[security] Go 1.17.7 and Go 1.16.14 are released
Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These
Feb 11
Alex Rakoczy
Jan 31
Go 1.18 Beta 2 is released
Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the
unread,
Go 1.18 Beta 2 is released
Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the
Jan 31
Roland Shoemaker
Jan 27
Most certificates managed by autocert require manual renewal
Hello gophers, The Let’s Encrypt certificate authority is revoking all certificates issued with
unread,
Most certificates managed by autocert require manual renewal
Hello gophers, The Let’s Encrypt certificate authority is revoking all certificates issued with
Jan 27
Carlos Amedee
Jan 6
Go 1.17.6 and Go 1.16.13 are released
Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the
unread,
Go 1.17.6 and Go 1.16.13 are released
Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the
Jan 6
Cherry Mui
12/14/21
Go 1.18 Beta 1 is released
Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the
unread,
Go 1.18 Beta 1 is released
Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the
12/14/21
Alex Rakoczy
12/9/21
[security] Go 1.17.5 and Go 1.16.12 are released
Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These
unread,
[security] Go 1.17.5 and Go 1.16.12 are released
Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These
12/9/21
Michael Knyszek
12/3/21
Go 1.17.4 and Go 1.16.11 are released
Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the
unread,
Go 1.17.4 and Go 1.16.11 are released
Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the
12/3/21
Roland Shoemaker
12/2/21
[security] Vulnerability in golang.org/x/crypto/ssh
Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a
unread,
[security] Vulnerability in golang.org/x/crypto/ssh
Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a
12/2/21
Roland Shoemaker
11/29/21
[security] golang.org/x/crypto/ssh fix pre-announcement
Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.
unread,
[security] golang.org/x/crypto/ssh fix pre-announcement
Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.
11/29/21
Than McIntosh
11/4/21
[security] Go 1.17.3 and Go 1.16.10 are released
Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor
unread,
[security] Go 1.17.3 and Go 1.16.10 are released
Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor
11/4/21
Michael Knyszek
10/8/21
[security] Go 1.17.2 and Go 1.16.9 are released
Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor
unread,
[security] Go 1.17.2 and Go 1.16.9 are released
Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor
10/8/21
Roland Shoemaker
10/4/21
[security] Go 1.17.2 and Go 1.16.9 pre-announcement
Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor
unread,
[security] Go 1.17.2 and Go 1.16.9 pre-announcement
Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor
10/4/21
Than McIntosh
9/9/21
[security] Go 1.17.1 and Go 1.16.8 are released
Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor
unread,
[security] Go 1.17.1 and Go 1.16.8 are released
Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor
9/9/21
Michael Knyszek
8/16/21
Go 1.17 is released
Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release
unread,
Go 1.17 is released
Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release
8/16/21
Alex Rakoczy
8/5/21
Go 1.16.7 and Go 1.15.15 are released
Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These
unread,
Go 1.16.7 and Go 1.15.15 are released
Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These
8/5/21
Alex Rakoczy
8/2/21
Go 1.17 Release Candidate 2 is released
Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut
unread,
Go 1.17 Release Candidate 2 is released
Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut
8/2/21
Cherry Mui
7/13/21
Go 1.17 Release Candidate 1 is released
Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut
unread,
Go 1.17 Release Candidate 1 is released
Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut
7/13/21
Dmitri Shuralyov
7/13/21
[security] Go 1.16.6 and Go 1.15.14 are released
Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These
unread,
[security] Go 1.16.6 and Go 1.15.14 are released
Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These
7/13/21
Filippo Valsorda
7/7/21
[security] Go 1.16.6 and Go 1.15.14 pre-announcement
Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases
unread,
[security] Go 1.16.6 and Go 1.15.14 pre-announcement
Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases
7/7/21
Dmitri Shuralyov
6/10/21
Go 1.17 Beta 1 is released
Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the
unread,
Go 1.17 Beta 1 is released
Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the
6/10/21
David Chase
6/4/21
Go 1.16.5 and Go 1.15.13 are released
Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These
unread,
Go 1.16.5 and Go 1.15.13 are released
Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These
6/4/21
Related news
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application. * CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following messa...
Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.
An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....
Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.
Red Hat Security Advisory 2022-6714-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong gr...
Red Hat Security Advisory 2022-6277-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat OpenShift Service Mesh 2.1.5 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group * CVE-2022-30629: golang: crypto/tls: session t...
Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.11.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23440: nodejs-set-value: type confusion allows bypass of CVE-2019-10747 * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-...
Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.
Red Hat Security Advisory 2022-5840-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
The Migration Toolkit for Containers (MTC) 1.7.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1365: cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Secondary Scheduler Operator for Red Hat OpenShift 1.0.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29526: golang: syscall: faccessat checks wrong group
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Red Hat Security Advisory 2022-5392-01 - Red Hat Advanced Cluster Management for Kubernetes 2.3.11 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which resolve security issues and fix several bugs. Issues addressed include a traversal vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...
Red Hat Security Advisory 2022-5201-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.5 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which apply security fixes and fix several bugs. Issues addressed include a traversal vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.4.5 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-24450: nats-server: misusing the "dynamically provisioned sand...
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.