go-toolset:rhel8 security and bug fix update
エラータID: AXSA:2022-3736:01
Go Toolset provides the Go programming language tools and libraries. Go is
alternatively known as golang.
Security Fix(es):
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For
not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Bug Fix(es):
* Clean up dist-git patches
* Update Go to version 1.17.12
CVE-2022-1705
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-1962
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-28131
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-30630
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-30631
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-30632
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-30633
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-30635
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-32148
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
Modularity name: [security-high]go-toolset
Stream name: rhel8
Update packages.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a panic can occur via a deeply nested XML document.
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
N/A
SRPMS
- delve-1.7.2-1.module+el8+1495+2935313a.src.rpm
MD5: dfcf696adfee6a617cbb435470547f5c
SHA-256: 2c2963b0275dd51cccff7f857402684f077beb1a5d99a86c38f9527be308d844
Size: 8.10 MB - golang-1.17.12-1.module+el8+1495+2935313a.src.rpm
MD5: 0ab6494484c86fde54489d0b8b81437e
SHA-256: bde0e3e072a92954a33ac7ebab989d65164e0fbb759ba4792f4fa9aa4ce8a6a7
Size: 21.02 MB - go-toolset-1.17.12-1.module+el8+1495+2935313a.src.rpm
MD5: 64b7775a4f5cfad115170cf35d8fa25e
SHA-256: aa2a58acfdc90bfe89d76bc6c9b6c7fd97aae2cbc264d08f15f858a919c7e615
Size: 13.61 kB
Asianux Server 8 for x86_64
- delve-1.7.2-1.module+el8+1495+2935313a.x86_64.rpm
MD5: 4cc468a71e68be6623c7d5a4c9b6caf0
SHA-256: 20f2e07e20b20b23ad6b9ca871ece137552b6f172d07fb6844b09c4d2da1acec
Size: 3.70 MB - delve-debugsource-1.7.2-1.module+el8+1495+2935313a.x86_64.rpm
MD5: 1c351f77a91ffac0ac5693154544d3f0
SHA-256: 74f1391c6c8dad7a6aa3fb79cdc606f03304429a661aa2cead41a45294612170
Size: 827.49 kB - golang-1.17.12-1.module+el8+1495+2935313a.x86_64.rpm
MD5: a7efd0b46fdb68db2050fd297862cf7e
SHA-256: af625cc4b2b801a951da4ea32f7964ae6a13f0c78f11279ed29cea8f453ab2eb
Size: 690.39 kB - golang-bin-1.17.12-1.module+el8+1495+2935313a.x86_64.rpm
MD5: 329d73a284b48e32a33803c97b5fe76b
SHA-256: 86054ce79033afb0b1714b402cc27dc89ab8469aad3fef9f829e33e94af53729
Size: 98.62 MB - golang-docs-1.17.12-1.module+el8+1495+2935313a.noarch.rpm
MD5: e6ab717afe599fb256a8a3731438a69f
SHA-256: 379e648543143204c477841497692915b7c1d6c4b14d452a0a4b0d28c0159017
Size: 112.26 kB - golang-misc-1.17.12-1.module+el8+1495+2935313a.noarch.rpm
MD5: fce2d928307f770fc596c2d19ba64c02
SHA-256: 731b2a34ee5237a9bcd5b90256834fd5ae8ebd692d24ed421f5840f6a12b342a
Size: 839.90 kB - golang-race-1.17.12-1.module+el8+1495+2935313a.x86_64.rpm
MD5: 2f39dad44ae2e697001ae2a13a0823c5
SHA-256: 757dbb8f8d49f71e21bc72e028263169f76deae71be10f635df012b4b87f598f
Size: 19.25 MB - golang-src-1.17.12-1.module+el8+1495+2935313a.noarch.rpm
MD5: 7abc2d4d40ce07887a8fe94447888445
SHA-256: 90f8a95f9e8f921a4e74426a59d749a8675333cbe2983341136e7c9b25940acf
Size: 8.97 MB - golang-tests-1.17.12-1.module+el8+1495+2935313a.noarch.rpm
MD5: 37f0060cf84d2a0bf95418e54e76eb36
SHA-256: c873975b2d785d02bcc8572b0688f464804ba87c3602086b7a927da2ded868eb
Size: 7.44 MB - go-toolset-1.17.12-1.module+el8+1495+2935313a.x86_64.rpm
MD5: a661374f2cb6b0cb1ace7033cf832109
SHA-256: 302ad590d7b4a451f13bd520a6815e2e30b04ac670a0c12a1ec51237df768c90
Size: 11.92 kB
日本語