go-toolset:rhel8 security and bug fix update

エラータID: AXSA:2022-3530:01

Release date: 
Wednesday, July 13, 2022 - 03:42
Subject: 
go-toolset:rhel8 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

* golang: Command-line arguments may overwrite global data (CVE-2021-38297)
* golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)
* golang: debug/macho: invalid dynamic symbol table command can cause panic (CVE-2021-41771)
* golang: archive/zip: Reader.Open panics on empty string (CVE-2021-41772)
* golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)
* golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)
* golang: crypto/elliptic IsOnCurve returns true for invalid field elements (CVE-2022-23806)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

CVE-2021-33196
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-38297
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
CVE-2021-39293
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CVE-2021-41771
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVE-2021-41772
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
CVE-2022-23772
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
CVE-2022-23773
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVE-2022-23806
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Modularity name: [security-medium]go-toolset
Stream name: rhel8

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.7.2-1.module+el8+1453+b9e9d61f.src.rpm
    MD5: 8afa67b3081cfaa625a298dc01a2824b
    SHA-256: 75c7b251e8d70e0f0864a9f6f8cc9ca0afd2417114caaccdcb6d423be31b7427
    Size: 8.10 MB
  2. golang-1.17.7-1.module+el8+1453+b9e9d61f.src.rpm
    MD5: 4419672068bb32a1f11020f5b286e113
    SHA-256: c711521c47e284ee72e5d2bf7b26bab662426c89570c8cb2dd9e1b22c706f731
    Size: 20.80 MB
  3. go-toolset-1.17.7-1.module+el8+1453+b9e9d61f.src.rpm
    MD5: f74e0e193b170a2419ed95c5163c7398
    SHA-256: 35bedab2c8239ec7bceef7148187afd9bbb21260b95e272398fc23357a55fcca
    Size: 13.37 kB

Asianux Server 8 for x86_64
  1. delve-1.7.2-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: 15312b108bc90848897ae599dc0937d7
    SHA-256: 0c06b649d159128f9a169e9733c53d5e08b3be322bd12875aaba0576b995f04e
    Size: 3.70 MB
  2. delve-debugsource-1.7.2-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: 61a805014752fdc26035c39638bdd087
    SHA-256: edb31921b734a73805562433e309802a2bc1fae9b5dd441ae1c89a780792a23e
    Size: 827.49 kB
  3. golang-docs-1.17.7-1.module+el8+1453+b9e9d61f.noarch.rpm
    MD5: 094dedc7813b5f700ccb84176b278a93
    SHA-256: fa6158207db75d9300fe93fb57038904b1ca70876b9dfc132bf9660da0040032
    Size: 111.96 kB
  4. golang-bin-1.17.7-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: 665c50034d9cdbef8c9544f837363145
    SHA-256: 1fcb462dc4bc80c14b390a5cd83df1cc1e1f6d89a682e4d81c2f833a3eab1c75
    Size: 98.50 MB
  5. golang-src-1.17.7-1.module+el8+1453+b9e9d61f.noarch.rpm
    MD5: ae7c948da1c01f1b51ccce519060f9b9
    SHA-256: 099f8e853025fbbbce40167ddd0b5204d50c9e2b37efd6cff8b3a435f631b613
    Size: 8.96 MB
  6. golang-1.17.7-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: e30b630d9674943150f2b01dbdef86e7
    SHA-256: 2c06f10098aa46335bd62d1d5fb2164c10faf1210fc577011bb862da977266fc
    Size: 690.08 kB
  7. golang-race-1.17.7-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: 186cdde6bf9a46b4c27207d2c7e5c54f
    SHA-256: 95b9c3feed076afb63cb93372989e3bafc7b33df6085bd01aa27eef1b61c2c8e
    Size: 19.23 MB
  8. golang-tests-1.17.7-1.module+el8+1453+b9e9d61f.noarch.rpm
    MD5: 68ae742829a3795bf87571af1812abc2
    SHA-256: f5eae5cb18166f6694734d9616dd69e9db6ecb4d0b97e0daee67a1083d030e25
    Size: 7.43 MB
  9. golang-misc-1.17.7-1.module+el8+1453+b9e9d61f.noarch.rpm
    MD5: 57365b2eb4ed110794adcc7c9daf4449
    SHA-256: ae1713d88998187f0012b879fd7e2973cfec23bf90a83c3d5071e71623bc5e43
    Size: 838.96 kB
  10. go-toolset-1.17.7-1.module+el8+1453+b9e9d61f.x86_64.rpm
    MD5: 56e5b75851f5023a45649b8e106d6f9c
    SHA-256: 6eec701535032dccd5102f7547248baffad6e5f675af337637241d005191a8a9
    Size: 11.72 kB