{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "Rebuild with golang >= 1.22.5 to fix CVE-2022-1705, CVE-2022-41717,\n CVE-2023-29406, CVE-2023-39318, CVE-2023-39319, CVE-2023-39326,\n CVE-2023-45290, CVE-2024-24785, CVE-2024-24791", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1778109988.json" } ], "tracking": { "current_release_date": "2026-05-06T23:28:39Z", "generator": { "date": "2026-05-06T23:28:39Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1778109988", "initial_release_date": "2026-05-06T23:28:39Z", "revision_history": [ { "date": "2026-05-06T23:28:39Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "toolbox: Fix of 9 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product": { "name": "toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product_id": "toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox@0.0.99.3-10.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product": { "name": "toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product_id": "toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox-tests@0.0.99.3-10.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product": { "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_id": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox-tests@0.0.99.3-10.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product": { "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_id": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox@0.0.99.3-10.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" }, "product_reference": "toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" }, "product_reference": "toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" }, "product_reference": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" }, "product_reference": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-39319", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "The html/template package does not apply the proper rules for handling occurrences of \" contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39319" }, { "category": "external", "summary": "https://go.dev/cl/526157", "url": "https://go.dev/cl/526157" }, { "category": "external", "summary": "https://go.dev/issue/62197", "url": "https://go.dev/issue/62197" }, { "category": "external", "summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2043", "url": "https://pkg.go.dev/vuln/GO-2023-2043" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202311-09", "url": "https://security.gentoo.org/glsa/202311-09" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20231020-0009/", "url": "https://security.netapp.com/advisory/ntap-20231020-0009/" } ], "release_date": "2023-09-08T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-06T23:26:34.183828Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "none_available", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2022-41717", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-41717" }, { "category": "external", "summary": "https://go.dev/cl/455635", "url": "https://go.dev/cl/455635" }, { "category": "external", "summary": "https://go.dev/cl/455717", "url": "https://go.dev/cl/455717" }, { "category": "external", "summary": "https://go.dev/issue/56350", "url": "https://go.dev/issue/56350" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-1144", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202311-09", "url": "https://security.gentoo.org/glsa/202311-09" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230120-0008/", "url": "https://security.netapp.com/advisory/ntap-20230120-0008/" } ], "release_date": "2022-12-08T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-06T23:26:34.183828Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "none_available", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-24785", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "notes": [ { "category": "description", "text": "If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-24785" } ], "release_date": "2024-03-05T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-06T23:26:34.183828Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "none_available", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-39326", "notes": [ { "category": "description", "text": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39326" }, { "category": "external", "summary": "https://go.dev/cl/547335", "url": "https://go.dev/cl/547335" }, { "category": "external", "summary": "https://go.dev/issue/64433", "url": "https://go.dev/issue/64433" }, { "category": "external", "summary": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2382", "url": "https://pkg.go.dev/vuln/GO-2023-2382" } ], "release_date": "2023-12-06T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-06T23:26:34.183828Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "none_available", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-45290", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-45290" } ], "release_date": "2024-03-05T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-06T23:26:34.183828Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778109988" }, { "category": "none_available", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-39318", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in