CVE-2023-24534
Published: 6 April 2023
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang-1.20 Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
(1.20.3-1ubuntu0.1~22.04)
|
| upstream |
Released
(1.20.3-1)
|
|
| xenial |
Ignored
(end of standard support)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| bionic |
Does not exist
|
|
| focal |
Not vulnerable
(1.20.3-1ubuntu0.1~20.04)
|
|
| kinetic |
Does not exist
|
|
| lunar |
Not vulnerable
(1.20.3-1)
|
|
|
Patches: upstream: https://github.com/golang/go/commit/3991f6c41c7dfd167e889234c0cf1d840475e93c |
||
|
golang-1.10 Launchpad, Ubuntu, Debian |
jammy |
Does not exist
|
| kinetic |
Does not exist
|
|
| trusty |
Needed
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
| bionic |
Needed
|
|
| focal |
Does not exist
|
|
| lunar |
Does not exist
|
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
| lunar |
Does not exist
|
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needed
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| lunar |
Does not exist
|
|
|
golang-1.16 Launchpad, Ubuntu, Debian |
focal |
Needed
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| bionic |
Needs triage
|
|
| lunar |
Does not exist
|
|
|
golang-1.17 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Needed
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| lunar |
Does not exist
|
|
|
golang-1.18 Launchpad, Ubuntu, Debian |
kinetic |
Does not exist
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.18.1-1ubuntu1~16.04.4)
Available with Ubuntu Pro |
|
| bionic |
Released
(1.18.1-1ubuntu1~18.04.4)
|
|
| focal |
Released
(1.18.1-1ubuntu1~20.04.2)
|
|
| jammy |
Released
(1.18.1-1ubuntu1.1)
|
|
| lunar |
Does not exist
|
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| lunar |
Does not exist
|
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| lunar |
Does not exist
|
|
|
golang-1.19 Launchpad, Ubuntu, Debian |
trusty |
Ignored
(end of standard support)
|
| xenial |
Ignored
(end of standard support)
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Released
(1.19.2-1ubuntu1.1)
|
|
| upstream |
Released
(1.19.8-1)
|
|
| lunar |
Not vulnerable
(1.19.8-1)
|
|
|
Patches: upstream: https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96 |
||
|
golang-1.6 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| upstream |
Needs triage
|
|
| trusty |
Ignored
(end of standard support)
|
|
| xenial |
Needed
|
|
| bionic |
Does not exist
|
|
| lunar |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24534
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
- https://go.dev/issue/58975
- https://github.com/golang/go/commit/3991f6c41c7dfd167e889234c0cf1d840475e93c (go1.20.3)
- https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96 (go1.19.8)
- https://ubuntu.com/security/notices/USN-6038-1
- https://ubuntu.com/security/notices/USN-6140-1
- NVD
- Launchpad
- Debian