Debian Golang-1.15 vulnerabilities

CVE-2021-3115 [HIGH] CVE-2021-3115: golang-1.15 - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command I... Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). Scope: local bullseye: resolved (fixed in 1.15.7-1)

CVE-2021-33195 [HIGH] CVE-2021-33195: golang-1.15 - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do... Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Scope: local bullseye: resolved (fixed in 1.15.9-5)

CVE-2021-33196 [HIGH] CVE-2021-33196: golang-1.15 - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file cou... In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. Scope: local bullseye: resolved (fixed in 1.15.9-4)

CVE-2021-41771 [HIGH] CVE-2021-41771: golang-1.15 - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.... ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. Scope: local bullseye: resolved (fixed in 1.15.15-1~deb11u2)

CVE-2021-44716 [HIGH] CVE-2021-44716: golang-1.15 - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memor... net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. Scope: local bullseye: resolved (fixed in 1.15.15-1~deb11u2)

CVE-2021-29923 [HIGH] CVE-2021-29923: golang-1.15 - Go before 1.17 does not properly consider extraneous zero characters at the begi... Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Scope: local bullseye: open

CVE-2021-33198 [HIGH] CVE-2021-33198: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large ... In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. Scope: local bullseye: resolved (fixed in 1.15.9-5)

CVE-2021-39293 [HIGH] CVE-2021-39293: golang-1.15 - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive h... In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. Scope: local bullseye: resolved (fixed in 1.15.15-1~deb11u1)

CVE-2021-31525 [MEDIUM] CVE-2021-31525: golang-1.15 - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers t... net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. Scope: local bullseye: resolved (fixed in 1.15.9-2)

CVE-2021-44717 [MEDIUM] CVE-2021-44717: golang-1.15 - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an... Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. Scope: local bullseye: resolved (fixed in 1.15.15-1~deb11u2)

CVE-2021-3114 [MEDIUM] CVE-2021-3114: golang-1.15 - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can gener... In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. Scope: local bullseye: resolved (fixed in 1.15.7-1)

CVE-2021-34558 [MEDIUM] CVE-2021-34558: golang-1.15 - The crypto/tls package of Go through 1.16.5 does not properly assert that the ty... The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. Scope: local bullseye: resolved (fixed in 1.15.9-6)

CVE-2021-36221 [MEDIUM] CVE-2021-36221: golang-1.15 - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to... Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Scope: local bullseye: resolved (fixed in 1.15.15-1~deb11u1)

CVE-2021-33197 [MEDIUM] CVE-2021-33197: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReversePro... In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. Scope: local bullseye: resolved (fixed in 1.15.9-5)

CVE-2021-27919 [MEDIUM] CVE-2021-27919: golang-1.15 - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of ser... archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. Scope: local bullseye: resolved

CVE-2021-41772 [HIGH] CVE-2021-41772: golang-1.15 - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open pan... Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Scope: local bullseye: resolved

CVE-2020-28362 [HIGH] CVE-2020-28362: golang-1.15 - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Scope: local bullseye: resolved (fixed in 1.15.5-1)

CVE-2020-28367 [HIGH] CVE-2020-28367: golang-1.15 - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows... Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. Scope: local bullseye: resolved (fixed in 1.15.5-1)

CVE-2020-28366 [HIGH] CVE-2020-28366: golang-1.15 - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows... Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Scope: local bullseye: resolved (fixed in 1.15.5-1)

CVE-2020-16845 [HIGH] CVE-2020-16845: golang-1.15 - Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadU... Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Scope: local bullseye: resolved (fixed in 1.15~rc2-1)