go-toolset:rhel8 security update

エラータID: AXSA:2024-7720:01

Release date: 
Thursday, April 25, 2024 - 15:43
Subject: 
go-toolset:rhel8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Modularity name: "go-toolset"
Stream name: "rhel8"

Solution: 

Update packages.

CVEs: 
CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.20.2-1.module+el8+1746+c846cbb7.src.rpm
    MD5: 3b0d2ee8214cd2b9a5e964b4226e5240
    SHA-256: 368c4492004c647d2820979590dddb1322eb1b73ffb9a59fd6f52dcb28ce4bbb
    Size: 8.73 MB
  2. golang-1.20.12-8.module+el8+1746+c846cbb7.src.rpm
    MD5: 3c9d6979da7459155684e34130e0e467
    SHA-256: af295d637f9ad05095cf98ef87af624107f974a9ff384c5612ac8fcdf90fc6fb
    Size: 24.77 MB
  3. go-toolset-1.20.12-1.module+el8+1746+c846cbb7.src.rpm
    MD5: b3f68ff5c18cc3ec906ce1c4466e6d95
    SHA-256: da60873b8c8562003324e9b6c42b2442457d2c9d369e003165a5f158130cfaa6
    Size: 15.01 kB

Asianux Server 8 for x86_64
  1. delve-1.20.2-1.module+el8+1746+c846cbb7.x86_64.rpm
    MD5: c0feba6b01026c3d3e472337094ad985
    SHA-256: bfdf11ae5aaac1ba5055005d0d614e70b3a122bb88ef8f28bf569bc69e40d8ae
    Size: 4.36 MB
  2. delve-debugsource-1.20.2-1.module+el8+1746+c846cbb7.x86_64.rpm
    MD5: 25697d11dd5779f92ef0c704f2ff251d
    SHA-256: af17bac0d01e3fd857aea349cede37d0e1b9dc19fa07e668d423402da108fc28
    Size: 0.99 MB
  3. golang-1.20.12-8.module+el8+1746+c846cbb7.x86_64.rpm
    MD5: e880f142a0a71569e97f2d4ab0562fa2
    SHA-256: f35d1b2cf48df5ee45889ea7538ec8f11ca1df398d4c89c47b51c91166e97835
    Size: 685.41 kB
  4. golang-bin-1.20.12-8.module+el8+1746+c846cbb7.x86_64.rpm
    MD5: b7ab304f4f8ca81288c7e33192a05c15
    SHA-256: ea6c12d21e044ee195664121687ea6a7e63f04d5958da65b5499a38418191a7e
    Size: 65.12 MB
  5. golang-docs-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
    MD5: 2922ff84ac27901da1cfffc872db4082
    SHA-256: 0a1cff06864e5fe023bf2b1924e195e0ce05e86c2f7a7e14c35c83444eb2eb7a
    Size: 134.67 kB
  6. golang-misc-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
    MD5: e6427c6442e89df2c7e3c603503f2bad
    SHA-256: f2b1279b8f4fe27bcd803af8460c911bb847b9bd103d141522db618ad2dba125
    Size: 238.78 kB
  7. golang-src-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
    MD5: 144665e0e1d9fca7a34e44741ae63c70
    SHA-256: f7f3c2f50ee788643d1045399d9919e55f159b19aa8fbc556ad354829860febb
    Size: 11.79 MB
  8. golang-tests-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
    MD5: 1af6a29412955a6fb7fa0cd300096cbe
    SHA-256: 9586fc9a012719d1f5ce3b81b416686b7260caa80ba90bc26dcc9911f6b29206
    Size: 8.20 MB
  9. go-toolset-1.20.12-1.module+el8+1746+c846cbb7.x86_64.rpm
    MD5: 8da301815d26c3d46f6b70ca5f746989
    SHA-256: be8ed10ba72a86b7ba869adbb7533af1ccbd9b09d5f6c4986252616ec4a4ff67
    Size: 13.04 kB