golang-1.20.12-1.el9_3
エラータID: AXSA:2024-7583:01
The golang packages provide the Go programming language compiler.
Security Fix(es):
* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
* golang: cmd/go: Protocol Fallback when fetching modules (CVE-2023-45285)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Update packages.
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
N/A
SRPMS
- golang-1.20.12-1.el9_3.src.rpm
MD5: b978d8bc8c08075ef06fd56ba287be23
SHA-256: e50879d4647bf04feb4c719059d3bb9ce39ce0b28a34367ea4f455d1442d0969
Size: 24.75 MB
Asianux Server 9 for x86_64
- golang-1.20.12-1.el9_3.x86_64.rpm
MD5: 69914342beb0e7f304de48fb840dfe67
SHA-256: de94f3c168f91a0a2ae6a213a991728f9e977dafe5963a7c090f296cb319301d
Size: 607.94 kB - golang-bin-1.20.12-1.el9_3.x86_64.rpm
MD5: 042337ba13e2e78d16ec4e4a81521605
SHA-256: 715852622c682dc807118ab6fbd0a83bd4438d9fffa2e5fb93e685b41da50680
Size: 58.00 MB - golang-docs-1.20.12-1.el9_3.noarch.rpm
MD5: b8a0ace05e9370b1502c9ca86bc70b55
SHA-256: a1c329516d34d3f5da458f482f814b62c31dc0d3553c4b856137fa23b56bdb21
Size: 104.87 kB - golang-misc-1.20.12-1.el9_3.noarch.rpm
MD5: e30d40cf1525f7b1d4601a6a339819da
SHA-256: 4d318475cddeca48544fe47079ddba0548305b24401f74d0628ec3fddc4b5f3f
Size: 303.43 kB - golang-src-1.20.12-1.el9_3.noarch.rpm
MD5: 68eef3ef81e90871a597c2e0d7388f84
SHA-256: 9433f9e1492d27bf5dcba10e8de5e35bcdd76d3485236e7ece8751d29c96f982
Size: 11.64 MB - golang-tests-1.20.12-1.el9_3.noarch.rpm
MD5: ad2ab31a947420469ff9f6f2d5494bc0
SHA-256: f94d1143eafdb182b27877a6a09b5b26f629a612c2125cddd41a2b3021ee2123
Size: 9.29 MB - go-toolset-1.20.12-1.el9_3.x86_64.rpm
MD5: 6a7fff4765a32ff3c5c6a203e74e0ee1
SHA-256: 62357da7416ffe8a3b7c58fdfc8cb78da779f25cdebf35c6a0ef187f814bd94f
Size: 9.07 kB