CVE-2023-24534
Publication date 6 April 2023
Last updated 24 July 2024
Ubuntu priority
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-1.10 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty |
Vulnerable
|
|
| golang-1.13 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Fixed 1.13.8-1ubuntu2.22.04.2
|
|
| 20.04 LTS focal |
Fixed 1.13.8-1ubuntu1.2
|
|
| 18.04 LTS bionic |
Fixed 1.13.8-1ubuntu1~18.04.4+esm1
|
|
| 16.04 LTS xenial |
Fixed 1.13.8-1ubuntu1~16.04.3+esm3
|
|
| 14.04 LTS trusty | Ignored | |
| golang-1.14 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.16 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Fixed 1.16.2-0ubuntu1~20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1.16.2-0ubuntu1~18.04.2+esm1
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.17 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.18 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Fixed 1.18.1-1ubuntu1.1
|
|
| 20.04 LTS focal |
Fixed 1.18.1-1ubuntu1~20.04.2
|
|
| 18.04 LTS bionic |
Fixed 1.18.1-1ubuntu1~18.04.4
|
|
| 16.04 LTS xenial |
Fixed 1.18.1-1ubuntu1~16.04.4
|
|
| 14.04 LTS trusty | Ignored | |
| golang-1.19 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.20 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.6 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Ignored | |
| golang-1.8 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.9 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6038-1
- Go vulnerabilities
- 25 April 2023
- USN-6140-1
- Go vulnerabilities
- 6 June 2023
- USN-6038-2
- Go vulnerabilities
- 9 January 2024
Other references
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
- https://go.dev/issue/58975
- https://github.com/golang/go/commit/3991f6c41c7dfd167e889234c0cf1d840475e93c (go1.20.3)
- https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96 (go1.19.8)
- https://www.cve.org/CVERecord?id=CVE-2023-24534