golang-1.20.12-4.el9_3

エラータID: AXSA:2024-7718:03

Release date: 
Thursday, April 25, 2024 - 13:59
Subject: 
golang-1.20.12-4.el9_3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The golang packages provide the Go programming language compiler.

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Solution: 

Update packages.

CVEs: 
CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Additional Info: 

N/A

Download: 

SRPMS
  1. golang-1.20.12-4.el9_3.src.rpm
    MD5: be3af868dc4f7adeecd4cec3351aefc6
    SHA-256: be02d57753bcceb3121108c01922ccade6ddf4860af44dc358bcd87335d1035d
    Size: 24.75 MB

Asianux Server 9 for x86_64
  1. golang-1.20.12-4.el9_3.x86_64.rpm
    MD5: d5a25b399b6b2d5ddb56d9a9dd3cc454
    SHA-256: acff33d70f750e5f4cdf6bc5380ddb0f2ec722f827300429cf0a128ed6ef3790
    Size: 608.11 kB
  2. golang-bin-1.20.12-4.el9_3.x86_64.rpm
    MD5: b7d19416c0c2a6bc496fc4f5f00eb738
    SHA-256: 07406c850905ace0181d2923b5c418189c2fad0488494d82f6080358754cfb56
    Size: 57.99 MB
  3. golang-docs-1.20.12-4.el9_3.noarch.rpm
    MD5: ad5611aeb5f33e86585051770f79feb1
    SHA-256: bc4a3af62575f977152ea3a8a57cf3b98e65634f3e84e8d24d3bf6d1e7e2a099
    Size: 104.88 kB
  4. golang-misc-1.20.12-4.el9_3.noarch.rpm
    MD5: b45b04547b3dd901e521a76240ec7020
    SHA-256: 65614db5faf043b8261a709b8fe12d553efc54acca374ab16979891bf899c348
    Size: 303.44 kB
  5. golang-src-1.20.12-4.el9_3.noarch.rpm
    MD5: b5c4611ca20b7d0259eb564bc2eb4e53
    SHA-256: 1599ac9edf143a044ca3a89043d25cfc9918e0b6bdf9d61e4419dea7b4644898
    Size: 11.64 MB
  6. golang-tests-1.20.12-4.el9_3.noarch.rpm
    MD5: fc833a23cfca6353866c242dcd42e16b
    SHA-256: 01141953b8c5c94d98327e3c4789a0e411d22806a267d59d97270397d654cd8b
    Size: 9.29 MB
  7. go-toolset-1.20.12-4.el9_3.x86_64.rpm
    MD5: adcbcda9356572b928f1d72ce5a67038
    SHA-256: 0fd0fadf80a511eb3eaa836385f31dc22d7e5110f2d7a3de580d91d7a4295306
    Size: 9.08 kB