FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- multiple vulnerabilities

Affected packages
go119 < 1.19.6
go120 < 1.20.1


VuXML ID 3d73e384-ad1f-11ed-983c-83fe35862e3a
Discovery 2023-02-14
Entry 2023-02-15

The Go project reports:

path/filepath: path traversal in filepath.Clean on Windows

On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

net/http, mime/multipart: denial of service from excessive resource consumption

Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

crypto/tls: large handshake records may cause panics

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.


CVE Name CVE-2022-41722
CVE Name CVE-2022-41723
CVE Name CVE-2022-41724
CVE Name CVE-2022-41725