Neil

**Name of the Vulnerable Software and Affected Versions** Go versions 1.21.3 and earlier, 1.20.10 and earlier **Description** The issue is related to the IsLocal function not correctly detecting reserved device names in some cases on Windows. Specifically, reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. This can be exploited by a remote attacker to bypass existing security restrictions. The estimated number of potentially affected devices is not specified. **Recommendations** For Go versions 1.21.3 and earlier, update to version 1.21.4 or later. For Go versions 1.20.10 and earlier, update to version 1.20.11 or later. As a temporary workaround, consider restricting the use of the IsLocal function until a patch is available. Avoid using reserved device names with trailing spaces or superscripts in the `path/filepath` package until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Go http2 package (affected versions not specified) **Description** A malicious HTTP/2 client can cause excessive server resource consumption by rapidly creating requests and immediately resetting them. This allows the attacker to create a new request while the existing one is still executing, despite the total number of requests being bounded by the `http2.Server.MaxConcurrentStreams` setting. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit will be queued until a handler exits, and if the request queue grows too large, the server will terminate the connection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Versões do Go anteriores à versão corrigida **Descrição** A vulnerabilidade permite que arquivos restritos sejam acessados por meio de `os.DirFS` e `http.Dir` no Windows. Essas funções fornecem acesso a uma árvore de arquivos com raiz em um determinado diretório e permitem o acesso a arquivos de dispositivos do Windows sob essa raiz. Por exemplo, `os.DirFS(“C:/tmp”).Open(“COM1”)` abre o dispositivo COM1. Tanto `os.DirFS` quanto `http.Dir` fornecem apenas acesso somente leitura ao sistema de arquivos. Além disso, no Windows, um `os.DirFS` para o diretório (a raiz da unidade atual) pode permitir que um caminho criado de forma maliciosa escape da unidade e acesse qualquer caminho no sistema. O comportamento de `os.DirFS(“”)` mudou com a correção aplicada; anteriormente, tratava uma raiz vazia de forma equivalente a “/”, e agora retorna um erro. **Recomendações** Para versões do Go anteriores à versão corrigida, considere aplicar a correção para alterar o comportamento de `os.DirFS(“”)` de modo que retorne um erro em vez de tratá-lo de forma equivalente a “/”. Como solução alternativa temporária, restrinja o uso de `os.DirFS` e `http.Dir` para minimizar o risco de exploração. Evite usar `os.DirFS` com raízes vazias ou caminhos criados de forma maliciosa até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.17.1 through 2.22.7 Bugzilla versions 3.0.x through 3.3.x Bugzilla versions 3.4.x before 3.4.12 Bugzilla versions 3.5.x Bugzilla versions 3.6.x before 3.6.6 Bugzilla versions 3.7.x Bugzilla versions 4.0.x before 4.0.2 Bugzilla versions 4.1.x before 4.1.3 **Description** A CRLF injection issue allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. **Recommendations** For Bugzilla versions 2.17.1 through 2.22.7, update to a version outside of this range to resolve the issue. For Bugzilla versions 3.0.x through 3.3.x, update to a version outside of this range to resolve the issue. For Bugzilla versions 3.4.x before 3.4.12, update to version 3.4.12 or later to resolve the issue. For Bugzilla versions 3.5.x, update to a version outside of this range to resolve the issue. For Bugzilla versions 3.6.x before 3.6.6, update to version 3.6.6 or later to resolve the issue. For Bugzilla versions 3.7.x, update to a version outside of this range to resolve the issue. For Bugzilla versions 4.0.x before 4.0.2, update to version 4.0.2 or later to resolve the issue. For Bugzilla versions 4.1.x before 4.1.3, update to version 4.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NetBSD-current versions prior to 20061028 **Description** The issue is related to improper bounds checking of an unspecified `userspace parameter` in the `ptrace` system call during a `PT DUMPCORE` request. This allows local users to have an unknown impact. **Recommendations** For versions prior to 20061028, consider updating to a version after 20061028 to resolve the issue. As a temporary workaround, restrict access to the `ptrace` system call to minimize the risk of exploitation.