go-toolset:rhel8 security, bug fix, and enhancement update

エラータID: AXSA:2021-2792:01

Release date: 
Monday, December 20, 2021 - 06:36
Subject: 
go-toolset:rhel8 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

The following packages have been upgraded to a later upstream version: golang (1.16.7).

Security Fix(es):

* golang: net: lookup functions may return invalid host names (CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
* golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-36221
Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Modularity name: go-toolset
Stream name: rhel8

Solution: 

Update packages.

CVEs: 
CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-36221
Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.6.0-1.module+el8+1340+8bec08e6.src.rpm
    MD5: 3e8e1a63e80e00ce7db60fd3dbccbd2e
    SHA-256: 3f0c378deca45531d267a51506ebc727ef3788b546a05c6af34bb9880fe19e1f
    Size: 7.25 MB
  2. golang-1.16.7-1.module+el8+1340+8bec08e6.src.rpm
    MD5: c4712a9bc2aedd50cb1f4bd316418ce5
    SHA-256: f88d0d37d3d10f7583257f0efac666561ca7af352f5b66c29ea86c993e40f58e
    Size: 19.58 MB
  3. go-toolset-1.16.7-1.module+el8+1340+8bec08e6.src.rpm
    MD5: 7e86e801541a427be548764e13670443
    SHA-256: 80b74470f6eeb91307a09e87a122cde9e2280ddc1533a884ce260a783bda7c71
    Size: 12.61 kB

Asianux Server 8 for x86_64
  1. delve-1.6.0-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: 8ea7860067be65d7b502158ac944e165
    SHA-256: 4a95bd90cd9757b9a4899c7d9f9eda9eae1ab4551e02d80837834705e5237846
    Size: 3.58 MB
  2. delve-debugsource-1.6.0-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: b973da24078f601e6506a8bea267eb29
    SHA-256: e66ca8f04f0c407fa184487457f0e3f0199bba5465bc9becbcd0b6da4e7dd642
    Size: 723.58 kB
  3. golang-1.16.7-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: 1de38e4149fc1485d069d26a22ccf9a3
    SHA-256: 9bcf8c7a21e861e545689481972a3267ae2dbe3b5fb23b6e3d80efe8b893fccb
    Size: 686.60 kB
  4. golang-bin-1.16.7-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: 49bf1680ffb5715b7cc6ab86ca59a1d0
    SHA-256: c87104f09e5770c205a8c19eb34a309fc8cc63949b9a1d0ff358a3a2a9db846c
    Size: 91.88 MB
  5. golang-docs-1.16.7-1.module+el8+1340+8bec08e6.noarch.rpm
    MD5: f15f8f9bb06e3854aba2c9688a446a04
    SHA-256: fc419a1d97a3f74a50a4ed1cadb7b7065625e9af24dae6ed28338be506ba07d2
    Size: 110.00 kB
  6. golang-misc-1.16.7-1.module+el8+1340+8bec08e6.noarch.rpm
    MD5: 2b79d92dfa37b66aef7a9ffa9aaba75e
    SHA-256: e8edfa8e65bb8d2a74813fe8297947ff3f452ae2f5d472e3f9b91d08b2b0bdca
    Size: 829.46 kB
  7. golang-race-1.16.7-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: 6220f18535e8b173191f559eed66aa33
    SHA-256: 84ef2f656080588a21652c2127a9ed629fd1cd2af63bc29bb63a6052f96b525e
    Size: 18.00 MB
  8. golang-src-1.16.7-1.module+el8+1340+8bec08e6.noarch.rpm
    MD5: 3c3a69bd72ed00e3d3ce5b1ada0955d7
    SHA-256: f6b8e14ea20f10fc50825c819eb987fb79812f2370b5447c923371b840dd4cba
    Size: 8.23 MB
  9. golang-tests-1.16.7-1.module+el8+1340+8bec08e6.noarch.rpm
    MD5: 13adfaec339e214b2fd4c17bce9f5a1c
    SHA-256: 16b32cd6ceb6983f529a58689fe5dd44f9fc5a3b1b71effe72cc7d629acceb77
    Size: 7.07 MB
  10. go-toolset-1.16.7-1.module+el8+1340+8bec08e6.x86_64.rpm
    MD5: cb1b3d7f2e4cca1479662b7e0163d5e3
    SHA-256: 1dd68cfbb89b8c2cf11b57dfe3d816462e71889fe39f2cd5f0e9fdafa2781958
    Size: 11.12 kB