ALAS2-2021-1694 --- golangID: oval:org.secpod.oval:def:1700697 | Date: (C)2021-08-10 (M)2023-11-30 |
Class: PATCH | Family: unix |
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate"s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists , or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites , as well as TLS 1.3-only clients, are unaffected