go-toolset:rhel8 security update

エラータID: AXSA:2024-7550:01

Release date: 
Tuesday, February 27, 2024 - 17:56
Subject: 
go-toolset:rhel8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
* golang: cmd/go: Protocol Fallback when fetching modules (CVE-2023-45285)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Modularity name: "go-toolset"
Stream name: "rhel8"

Solution: 

Update packages.

CVEs: 
CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.20.2-1.module+el8+1726+bcceb995.src.rpm
    MD5: 70a406d55ff3c92dd2d603ce5e9b054b
    SHA-256: 8448d44407b8db8f0139d99aa2619295a3e11c6357e20f0f2ea783a8964317ca
    Size: 8.73 MB
  2. golang-1.20.12-2.module+el8+1726+bcceb995.src.rpm
    MD5: f60ff1ce78aebe40ac0f2ec1a89d2d44
    SHA-256: b3117f20c82b7c717c9f6cc9d3ac6362efb17ccd65f660fe9185505c165c6079
    Size: 24.77 MB
  3. go-toolset-1.20.12-1.module+el8+1726+bcceb995.src.rpm
    MD5: b423fccaf69ed54a644c915919373963
    SHA-256: 07575e1abc1fb7f6078d68761b58469c6979a3ab4416ee7253c5f3e104617d91
    Size: 15.01 kB

Asianux Server 8 for x86_64
  1. delve-1.20.2-1.module+el8+1726+bcceb995.x86_64.rpm
    MD5: f1ace769535047fedb4aebf1efd12eca
    SHA-256: 6ad01578f2c0323dc3651f62017cec8763d597a91b8ddad7ec4a258670392e5e
    Size: 4.36 MB
  2. delve-debugsource-1.20.2-1.module+el8+1726+bcceb995.x86_64.rpm
    MD5: e45f5a19d0bab58c506afec3c7df4c22
    SHA-256: 97d43abc72c1bdd5764ea271b871ed16e2fb461a15407feb5aaadbaba8f56e72
    Size: 0.99 MB
  3. golang-1.20.12-2.module+el8+1726+bcceb995.x86_64.rpm
    MD5: 6067352de75513125bde5c17125eef01
    SHA-256: 40587924d9006ee94f223bf9c842baacc0daa4cfe32dd473da4b6801810204bf
    Size: 684.97 kB
  4. golang-bin-1.20.12-2.module+el8+1726+bcceb995.x86_64.rpm
    MD5: 0ebadd0450dcde82b370262f2053208f
    SHA-256: 7ab9d82a8d4e3f8dd25285979cd69e46f9c3d416c2b46d9e40be55a2ec71c54e
    Size: 65.11 MB
  5. golang-docs-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
    MD5: 1f0a06d1a62106f7b543fe0a6cd5be27
    SHA-256: decf7239241404f3c89ee3cd42d6d5119d9403e2660161302fa04061e1ca4ff6
    Size: 134.40 kB
  6. golang-misc-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
    MD5: 97ce6796c10218efb41f5266e467b2c6
    SHA-256: 2b112559f884b7d297c7818c3f89865b3b397b5d817a5218768172f7c64596eb
    Size: 238.51 kB
  7. golang-src-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
    MD5: 1bcd1ebff32bf22e248f8bf1dc335881
    SHA-256: a4ee8a58413ff3f4243a3ec1fe994d5573edc47bd380fb1eac526f2b30e751be
    Size: 11.79 MB
  8. golang-tests-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
    MD5: 7729a7a6cf4649acd00225996988da53
    SHA-256: 16222cf1b02de019dca93cbdd4c6aad6d4a6442143518e2fa892e80ebe0e4c5e
    Size: 8.20 MB
  9. go-toolset-1.20.12-1.module+el8+1726+bcceb995.x86_64.rpm
    MD5: 796105814bf05fc7ee8002d128e9bf54
    SHA-256: 19cafe209e6d6f82f5c50dc60971e33dc53c891973fcd55b5fe805abb13cf5ea
    Size: 13.04 kB