This is a bug fix release addressing the following Golang security issues:
Golang security fix CVE-2022-41723
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a
denial of service from a small number of small requests.
Golang security fix CVE-2022-41724
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records
which cause servers and clients, respectively, to panic when attempting to construct responses.
Golang security fix CVE-2022-41722
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could
transform an invalid path such as "a/../c:/b" into the valid path "c:". This transformation of a relative
(if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".
- 🔍View and search all Open Policy Agent releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!