エラータID: AXSA:2023-5956:02

Release date: 
Friday, June 9, 2023 - 07:25
Affected Channels: 
Asianux Server 8 for x86_64

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/[http:](http:) excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


Update packages.

Additional Info: 



  1. git-lfs-3.2.0-2.el8.src.rpm
    MD5: 31d2f407bb2f68bf428e5d14d6295cd2
    SHA-256: 62b36d3b846cb5cacfe4819f850f86fc346b1bbf078c6b02bc7e5f8dad83ff84
    Size: 3.07 MB

Asianux Server 8 for x86_64
  1. git-lfs-3.2.0-2.el8.x86_64.rpm
    MD5: b8d3c4632f309df131d1ad2c8bae5425
    SHA-256: 83a09ce1e0ad18cdf40bc2bb3d31ff2dc225e76bc4577f65c5a187dbb5878949
    Size: 4.00 MB