Your submission was sent successfully! Close

CVE-2020-16845

Published: 6 August 2020

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Notes

AuthorNote
mdeslaur
Packages built using golang need to be rebuilt once the
vulnerability has been fixed. This CVE entry does not
list packages that need rebuilding outside of the main
repository or the Ubuntu variants with PPA overlays.
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
golang
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (1.13.15, 1.14.7)
xenial Does not exist

golang-1.10
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Needs triage

golang-1.13
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist

trusty Does not exist

upstream
Released (1.13.15, 1.14.7)
xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/golang/go/commit/ec5b63a6a2b6205cc204e9ce856e7517a1b989d2


golang-1.14
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needed

groovy
Released (1.14.7-2ubuntu1)
hirsute
Released (1.14.7-2ubuntu1)
impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (1.13.15, 1.14.7)
xenial Does not exist

Patches:

upstream: https://github.com/golang/go/commit/51bb041f7cf17c5e8e10a7307521625437687b04

golang-1.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Not vulnerable
(1.15-2ubuntu1)
hirsute Not vulnerable
(1.15-2ubuntu1)
impish Not vulnerable
(1.15-2ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (1.13.15, 1.14.7)
xenial Does not exist

Patches:


upstream: https://github.com/golang/go/commit/027d7241ce050d197e7fabea3d541ffbe3487258
golang-1.6
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Needs triage

golang-1.8
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

golang-1.9
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist