golang-1.18.9-1.el9, go-toolset-1.18.9-1.el9

エラータID: AXSA:2023-4904:01

Release date: 
Tuesday, January 31, 2023 - 07:47
Subject: 
golang-1.18.9-1.el9, go-toolset-1.18.9-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

The golang packages provide the Go programming language compiler.

Security Fix(es):

* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Internal linking fails on ppc64le (BZ#2144547)
* crypto testcases fail on golang on s390x [rhel-9] (BZ#2149311)

CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-2880
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Solution: 

Update packages.

CVEs: 
CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-2880
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Additional Info: 

N/A

Download: 

SRPMS
  1. golang-1.18.9-1.el9.src.rpm
    MD5: fea24a94824f8b8dc2e12b1e58c42d16
    SHA-256: eb7b8ee4c3381f60af1038bbf859bd91980e1d3bb31643bea3800395f996e3c7
    Size: 21.65 MB
  2. go-toolset-1.18.9-1.el9.src.rpm
    MD5: 33be59f80e746ac997a5c73e83f49f63
    SHA-256: 96ea154ab616f64fb4c834b55cfc0ee9cbc8f114ca0e3ed0fd86abc383094650
    Size: 9.38 kB

Asianux Server 9 for x86_64
  1. golang-1.18.9-1.el9.x86_64.rpm
    MD5: 54ea9e34d834c70d8b118da710feeccf
    SHA-256: 24d95f22b255949e765fc1a475714ffbe55444df74b3cf876e0d3ae761c01b1c
    Size: 615.08 kB
  2. golang-bin-1.18.9-1.el9.x86_64.rpm
    MD5: e8eebd1ce82f4c9b8e53c063d1896e18
    SHA-256: 85f9c8b77ad61643150da88e66a954682bb389d6df5a8a6c946c964f1526af41
    Size: 96.37 MB
  3. golang-docs-1.18.9-1.el9.noarch.rpm
    MD5: 0ac379c46b82c7c402fb7489be7e0176
    SHA-256: 8a94e5c4969f3d6c2ab4a725e92c8c303cdf548b4fd4c80b59f2c7c8bcddafe5
    Size: 98.42 kB
  4. golang-misc-1.18.9-1.el9.noarch.rpm
    MD5: f35cc344a99aa6650e06b589a3a4bb6d
    SHA-256: baf234675f6902ff97e0e7bb006cffb1293a9d4db89590fa470b1836e0d1990e
    Size: 775.36 kB
  5. golang-race-1.18.9-1.el9.x86_64.rpm
    MD5: c65976705663fa71372c63462e972cc8
    SHA-256: fa63b6a4c874206d971098c9fb5a5ed40374d73599bc06e9d4ffd68f2b4c8b79
    Size: 19.99 MB
  6. golang-src-1.18.9-1.el9.noarch.rpm
    MD5: a37dfda1c0f7e4bf63e0858759b11090
    SHA-256: c18e909f7cc26d2fb6abafdb94225187dc73569d6c6c5830d3be80f5338e3394
    Size: 8.23 MB
  7. golang-tests-1.18.9-1.el9.noarch.rpm
    MD5: 17790ee4ca46defb5bdd4da2657bbce1
    SHA-256: 09fbe51ade1b93d55a64c9d9fa24122bf1c7d4fbba5b9701a32a1777a8180a65
    Size: 7.38 MB
  8. go-toolset-1.18.9-1.el9.x86_64.rpm
    MD5: 19bbb504210ab8126e7d582aa51513a1
    SHA-256: 23ddedd6c7a248b73669552f328a0e0a25c7727a15c77a441e528b6dfe6ab5ac
    Size: 7.54 kB