x/vulndb: potential Go vuln in std: CVE-2022-27664

[GoVulnBot]

CVE-2022-27664 references std, which may be a Go module.

Description:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27664
• JSON: https://github.com/CVEProject/cvelist/tree/254b752b4038217c60cafb31ec8f874c04c64039/2022/27xxx/CVE-2022-27664.json
• web: https://groups.google.com/g/golang-announce
• web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
• Imported by: https://pkg.go.dev/std?tab=importedby

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: std
    packages:
      - package: std
description: |
    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
cves:
  - CVE-2022-27664
references:
  - web: https://groups.google.com/g/golang-announce
  - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s

[gopherbot]

Change https://go.dev/cl/430395 mentions this issue: data/reports: add GO-2022-0969.yaml for CVE-2022-27664

[vitaliyf]

This check appears to be failing on go1.18.6 even though that version is where the underlying issue should be fixed.

The error says:

  Found in: net/url@go1.18.6
  Fixed in: net/url@go1.19.1

which is definitely not accurate.

Edit: I see golang/go#55046 has been opened to track this.