Path to this page:
Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2022-11-01 18:41:11
Message id: 20221101174111.E9AB1FA90@cvs.NetBSD.org
Log Message:
go119: update to 1.19.3
This release includes 1 security fixes following the security policy:
syscall, os/exec: unsanitized NUL in environment variables
On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for
invalid environment variable values. A malicious environment variable value
could exploit this behavior to set a value for a different environment
variable. For example, the environment variable string "A=B\x00C=D" set the
variables "A=B" and "C=D".
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.3
Files: