Vulnerability CVE-2022-24921: Information
Description
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| golang | sisyphus | 1.17.8-alt1 | 1.22.2-alt1 | ALT-PU-2022-1429-1 | 296255 | Fixed |
| golang | sisyphus_riscv64 | 1.17.8-alt1 | 1.22.2-alt1 | ALT-PU-2022-4216-1 | - | Fixed |
| golang | p10 | 1.16.15-alt1 | 1.21.9-alt1 | ALT-PU-2022-1437-1 | 296256 | Fixed |
| golang | p9 | 1.19.12-alt1 | 1.15.15-alt1 | ALT-PU-2023-5153-1 | 326713 | Testing |
| golang | c10f1 | 1.16.15-alt1 | 1.21.9-alt1 | ALT-PU-2022-1437-1 | 296256 | Fixed |
| golang | c9f2 | 1.16.15-alt1.c9 | 1.20.11-alt1 | ALT-PU-2022-1435-1 | 296257 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk |
|
| https://security.netapp.com/advisory/ntap-20220325-0010/ |
|
| [debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update |
|
| [debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update |
|
| GLSA-202208-02 |
|
| https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf | |
| [debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update |