[Buildroot] [PATCH] package/go: security bump to version 1.16.5
Peter Korsgaard
peter at korsgaard.com
Thu Jun 10 20:51:57 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
>> Fixes the following security issues:
>> - CVE-2021-33195: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and
>> LookupAddr functions in net, and their respective methods on the Resolver
>> type may return arbitrary values retrieved from DNS which do not follow
>> the established RFC 1035 rules for domain names. If these names are used
>> without further sanitization, for instance unsafely included in HTML, they
>> may allow for injection of unexpected content. Note that LookupTXT may
>> still return arbitrary values that could require sanitization before
>> further use
>> - CVE-2021-33196: The NewReader and OpenReader functions in archive/zip can
>> cause a panic or an unrecoverable fatal error when reading an archive that
>> claims to contain a large number of files, regardless of its actual size
>> - CVE-2021-33197: ReverseProxy in net/http/httputil could be made to forward
>> certain hop-by-hop headers, including Connection. In case the target of
>> the ReverseProxy was itself a reverse proxy, this would let an attacker
>> drop arbitrary headers, including those set by the ReverseProxy.Director
>> - CVE-2021-33198: The SetString and UnmarshalText methods of math/big.Rat
>> may cause a panic or an unrecoverable fatal error if passed inputs with
>> very large exponents
>> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
For 2021.02.x I have instead bumped to 1.15.13, which contains the same
security fixes.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list