FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- multiple vulnerabilities

Affected packages
go < 1.17.5,1

Details

VuXML ID 720505fe-593f-11ec-9ba8-002324b2fba8
Discovery 2021-12-08
Entry 2021-12-09

The Go project reports:

net/http: limit growth of header canonicalization cache. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

syscall: don’t close fd 0 on ForkExec error. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

References

CVE Name CVE-2021-44716
CVE Name CVE-2021-44717
URL https://github.com/golang/go/issues/50057
URL https://github.com/golang/go/issues/50058