go-toolset:rhel8 security, bug fix, and enhancement update

エラータID: AXSA:2021-2375:01

Release date: 
Thursday, August 19, 2021 - 10:14
Subject: 
go-toolset:rhel8 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

The following packages have been upgraded to a later upstream version: golang (1.15.14).

Security Fix(es):

* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)
* golang: net/[http:](http:) panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
* golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* FIPS mode AES CBC CryptBlocks incorrectly re-initializes IV in file crypto/internal/boring/aes.go
* FIPS mode AES CBC Decrypter produces incorrect result

CVE-2021-27918
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-31525
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33196
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

Modularity name: go-toolset
Stream name: rhel8

Solution: 

Update packages.

CVEs: 
CVE-2021-27918
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-31525
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33196
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.5.0-2.module+el8+1296+c47eddbe.src.rpm
    MD5: e1351c67701b8bfff1a22b2ecb116762
    SHA-256: cc3be3d26d104cd2fd2526e3bd5826de475661257bfef8e21a347a1d1b73f57d
    Size: 7.55 MB
  2. golang-1.15.14-1.module+el8+1296+c47eddbe.src.rpm
    MD5: 74dd385173d2296122e5acabd5a141f7
    SHA-256: 0de78a28eb721b4ac61aa33526984b9f07e310bde1b5bd48eb19e8e604eea979
    Size: 21.62 MB
  3. go-toolset-1.15.14-1.module+el8+1296+c47eddbe.src.rpm
    MD5: da5569bfbb1467dd7690e96af21ae747
    SHA-256: cfc6a4a9abd2c4a484e17fcfe48c0e1487ac4fcb77f39e5294eb5c01059618db
    Size: 12.04 kB

Asianux Server 8 for x86_64
  1. delve-1.5.0-2.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: 96cef396178f86ced65cd183a3905cc4
    SHA-256: ef0a16e43c692fe88145e75858c24d3ac2d8143ca9b77f6a94c469034c7ad3dd
    Size: 4.03 MB
  2. delve-debugsource-1.5.0-2.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: 4527f1c67d00e39fefcd5e307a347d3e
    SHA-256: 900aca6d4c35e71092a3da204f4038704c48f1fa2e804b206e8822c8bd9c3154
    Size: 691.26 kB
  3. golang-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: a9b3a896e39f29fe5361ba3979f241ef
    SHA-256: 17efaa66bee1bb4d79483060455215ed03330361b27cf1f79a8464a95ad7aab3
    Size: 706.85 kB
  4. golang-bin-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: 3026f394249868b9a5d32cd183d2c489
    SHA-256: 3d36bbdad01dc05e0e89d62b9dba50eb4182b1ae35bad47e9c488b70add3cb52
    Size: 89.85 MB
  5. golang-docs-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
    MD5: 923dd541c508f4c48bddefdae80a816c
    SHA-256: db5e76b9381543156aa0d93280481a04955383bf1991809054a4ad6ae4d4f84d
    Size: 2.41 MB
  6. golang-misc-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
    MD5: 1b7eef21704424daeacb48ab8b65abf0
    SHA-256: fa9604bd9e636ba035aab2c3e2c2979c70205d57388051af0f6b8267e099b56f
    Size: 819.57 kB
  7. golang-race-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: c8a28a92eab14fcc30669ad5c29d62f5
    SHA-256: 3f097a97c28d5a80ea4d5fa1452fa52eb26a669cad92b9c1056d6e542470b6ce
    Size: 14.25 MB
  8. golang-src-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
    MD5: cf21f7c86c015b359961baffd3b232fa
    SHA-256: 56ba0c69efc84d18ba1f4ea2df5dc1817e0ca59df57f3285381b278dc2edd6f4
    Size: 8.01 MB
  9. golang-tests-1.15.14-1.module+el8+1296+c47eddbe.noarch.rpm
    MD5: 5b385214d9459f9c8ea52c31460db16d
    SHA-256: 5c7a8da11ec1c81b489841dbdb4bba3d6a39e63215fc64fc34da3c994a0885dd
    Size: 6.82 MB
  10. go-toolset-1.15.14-1.module+el8+1296+c47eddbe.x86_64.rpm
    MD5: 09a47b5608b43fa924110ac0e61a3ce6
    SHA-256: 38d1b30ed1552d533292d237e98e5b1d16c7223c8fcf6c195364eb38a3c0e172
    Size: 10.67 kB