USN-7109-1

Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-41723)

Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2022-41724)

Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. (CVE-2022-41725)

Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. (CVE-2023-24531)

Jakob Ackermann discovered that Go incorrectly handled multipart forms. An attacker could possibly use this issue to consume an excessive amount of resources, resulting in a denial of service. (CVE-2023-24536)

Juho Nurminen discovered that Go incorrectly handled certain special characters in directory or file paths. An attacker could possibly use this issue to inject code into the resulting binaries. (CVE-2023-29402)

Vincent Dehors discovered that Go incorrectly handled permission bits. An attacker could possibly use this issue to read or write files with elevated privileges. (CVE-2023-29403)

Juho Nurminen discovered that Go incorrectly handled certain compiler directives. An attacker could possibly use this issue to execute arbitrary code. (CVE-2023-29404)

Juho Nurminen discovered that Go incorrectly handled certain crafted arguments. An attacker could possibly use this issue to execute arbitrary code at build time. (CVE-2023-29405)

Bartek Nowotarski discovered that Go incorrectly validated the contents of host headers. A remote attacker could possibly use this issue to inject additional headers or entire requests. (CVE-2023-29406)

Takeshi Kaneko discovered that...