go-toolset:rhel8 security, bug fix, and enhancement update
エラータID: AXSA:2021-2375:01
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
The following packages have been upgraded to a later upstream version: golang (1.15.14).
Security Fix(es):
* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)
* golang: net/[http:](http:) panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
* golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* FIPS mode AES CBC CryptBlocks incorrectly re-initializes IV in file crypto/internal/boring/aes.go
* FIPS mode AES CBC Decrypter produces incorrect result
CVE-2021-27918
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-31525
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33196
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
Modularity name: go-toolset
Stream name: rhel8
Update packages.
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
N/A
SRPMS
- delve-1.5.0-2.module+el8+1296+c47eddbe.src.rpm
MD5: e1351c67701b8bfff1a22b2ecb116762
SHA-256: cc3be3d26d104cd2fd2526e3bd5826de475661257bfef8e21a347a1d1b73f57d
Size: 7.55 MB - golang-1.15.14-1.module+el8+1296+c47eddbe.src.rpm
MD5: 74dd385173d2296122e5acabd5a141f7
SHA-256: 0de78a28eb721b4ac61aa33526984b9f07e310bde1b5bd48eb19e8e604eea979
Size: 21.62 MB - go-toolset-1.15.14-1.module+el8+1296+c47eddbe.src.rpm
MD5: da5569bfbb1467dd7690e96af21ae747
SHA-256: cfc6a4a9abd2c4a484e17fcfe48c0e1487ac4fcb77f39e5294eb5c01059618db
Size: 12.04 kB
Asianux Server 8 for x86_64
- delve-1.5.0-2.module+el8+1296+c47eddbe.x86_64.rpm
MD5: 96cef396178f86ced65cd183a3905cc4
SHA-256: ef0a16e43c692fe88145e75858c24d3ac2d8143ca9b77f6a94c469034c7ad3dd
Size: 4.03 MB - delve-debugsource-1.5.0-2.module+el8+1296+c47eddbe.x86_64.rpm
MD5: 4527f1c67d00e39fefcd5e307a347d3e
SHA-256: 900aca6d4c35e71092a3da204f4038704c48f1fa2e804b206e8822c8bd9c3154
Size: 691.26 kB - golang-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
MD5: a9b3a896e39f29fe5361ba3979f241ef
SHA-256: 17efaa66bee1bb4d79483060455215ed03330361b27cf1f79a8464a95ad7aab3
Size: 706.85 kB - golang-bin-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
MD5: 3026f394249868b9a5d32cd183d2c489
SHA-256: 3d36bbdad01dc05e0e89d62b9dba50eb4182b1ae35bad47e9c488b70add3cb52
Size: 89.85 MB - golang-docs-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
MD5: 923dd541c508f4c48bddefdae80a816c
SHA-256: db5e76b9381543156aa0d93280481a04955383bf1991809054a4ad6ae4d4f84d
Size: 2.41 MB - golang-misc-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
MD5: 1b7eef21704424daeacb48ab8b65abf0
SHA-256: fa9604bd9e636ba035aab2c3e2c2979c70205d57388051af0f6b8267e099b56f
Size: 819.57 kB - golang-race-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
MD5: c8a28a92eab14fcc30669ad5c29d62f5
SHA-256: 3f097a97c28d5a80ea4d5fa1452fa52eb26a669cad92b9c1056d6e542470b6ce
Size: 14.25 MB - golang-src-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
MD5: cf21f7c86c015b359961baffd3b232fa
SHA-256: 56ba0c69efc84d18ba1f4ea2df5dc1817e0ca59df57f3285381b278dc2edd6f4
Size: 8.01 MB - golang-tests-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
MD5: 5b385214d9459f9c8ea52c31460db16d
SHA-256: 5c7a8da11ec1c81b489841dbdb4bba3d6a39e63215fc64fc34da3c994a0885dd
Size: 6.82 MB - go-toolset-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
MD5: 09a47b5608b43fa924110ac0e61a3ce6
SHA-256: 38d1b30ed1552d533292d237e98e5b1d16c7223c8fcf6c195364eb38a3c0e172
Size: 10.67 kB