Name | CVE-2021-29923 |
Description | Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
golang-1.15 (PTS) | bullseye | 1.15.15-1~deb11u4 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
[stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility)
[stretch] - golang-1.7 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility)
https://github.com/golang/go/issues/30999
https://github.com/golang/go/issues/43389
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md
https://go-review.googlesource.com/c/go/+/325829/