go-toolset:rhel8 security update
エラータID: AXSA:2020-942:01
リリース日:
2020/11/24 Tuesday - 02:39
題名:
go-toolset:rhel8 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の golang.org/x/text ライブラリの encoding/unicode 関数には、
UTF-16 デコーダーが無限ループを引き起こす問題があり、UseBOM や ExpectBOM
でインスタンス化された UTF16 デコーダーが String 関数から呼び出されたとき、
または golang.org/x/text/gransfrom.String に引き渡されたときに、
攻撃者が1バイトをデコーダーに引き渡すことにより、クラッシュ、あるいは
メモリ不足を引き起こすことのできる脆弱性があります。(CVE-2020-14040)
- Go は幾つかの net/http サーバにおいて、httputil.ReverseProxy ハンドラで
実証されているように、リクエストのbodyの読み込みとレスポンスへの書き込みを
同時に実行してしまうため、データ競合を引き起こす脆弱性があります。(CVE-2020-15586)
- Go の encoding/binary の ReadUvarint と READVarint には、不正な入力を
介することで読み込みの無限ループを引き起こす脆弱性があります。(CVE-2020-16845)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-14040
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
CVE-2020-15586
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
CVE-2020-16845
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.3.2-3.module+el8+149+c3cdbb21.src.rpm
MD5: d060e29aa16fa407ab09533d3dbe03c3
SHA-256: dec74e151ae3271e22ad6d4e84a31fdc8ad7330620d5e54916e8e0d4a9240cf0
Size: 7.33 MB - golang-1.13.15-1.module+el8+149+c3cdbb21.src.rpm
MD5: 105dec62908e87f27d1642bd233cc471
SHA-256: e2744f2435a86e17cb98e772cf4f37230692f8a090c4ac3fd3bb2b6eb9388e19
Size: 20.45 MB - go-toolset-1.13.15-1.module+el8+149+c3cdbb21.src.rpm
MD5: d5a8434b2a474469fbee4b09dac6582a
SHA-256: 8df840cc31f86d928091b59f8535733e2d7eb8260c3fe64ac1f86ca414bd3621
Size: 10.43 kB
Asianux Server 8 for x86_64
- delve-1.3.2-3.module+el8+149+c3cdbb21.x86_64.rpm
MD5: 661445340262bffbfce765af5ee6159f
SHA-256: ea4efb8edec7a9c44108b3a3c6ab8b1ccb08df3ee03e6844840966bc8830bc0b
Size: 4.83 MB - delve-debugsource-1.3.2-3.module+el8+149+c3cdbb21.x86_64.rpm
MD5: 54add40e6700d6c4f1a600a18e6b33ab
SHA-256: 05031fb426d285224c0792ad7e0c5af7023650df58ba8347dc1397dfed393532
Size: 538.10 kB - golang-1.13.15-1.module+el8+149+c3cdbb21.x86_64.rpm
MD5: 335a81f808602f6f67885d3d425aa2b0
SHA-256: 06d183414e07f0ac4ad4299a80738590ae61faeec38fe14b80abc760b92b1397
Size: 697.64 kB - golang-bin-1.13.15-1.module+el8+149+c3cdbb21.x86_64.rpm
MD5: c5be1567c42e4ef4b37bd563863af914
SHA-256: 64a0eb50a866b1ebc8714373d8f196efb4ea73dbac3f2a7835242aa557d73947
Size: 86.59 MB - golang-docs-1.13.15-1.module+el8+149+c3cdbb21.noarch.rpm
MD5: d052fb0d6fb17a849f959e535fd50b58
SHA-256: 7aeb9bbd6e18e6773616d5557597e95db3ccc8483ef1be8690b692e6aceb4124
Size: 2.51 MB - golang-misc-1.13.15-1.module+el8+149+c3cdbb21.noarch.rpm
MD5: a63d256dc91f13eedd6e0973ffdb8b4c
SHA-256: c4ac86554ee111bd5e59a9e335aca6ccccb65a11fd12431807044943b20eea14
Size: 826.65 kB - golang-race-1.13.15-1.module+el8+149+c3cdbb21.x86_64.rpm
MD5: 51fcd5bf8367a98113c2cbd23cfb1339
SHA-256: fb226cf8c035ee8a02ca12c6e0d73a51486cc06e8eee0c56b5396f2244a7cb2d
Size: 13.94 MB - golang-src-1.13.15-1.module+el8+149+c3cdbb21.noarch.rpm
MD5: 0d8a2de3e742c64cba936773e55372bc
SHA-256: 195b0f962060e38138ebdfd63f6ac6f33081a95986f52e397ed99f320127baef
Size: 7.17 MB - golang-tests-1.13.15-1.module+el8+149+c3cdbb21.noarch.rpm
MD5: e963e8233d1453b9371ef93f2ebcf3dc
SHA-256: e34cd1cbee2a5e104f4335a97fc75af14b54922c90ff877e5dd992793db6ad3e
Size: 6.40 MB - go-toolset-1.13.15-1.module+el8+149+c3cdbb21.x86_64.rpm
MD5: b185a69d726e7005b06d57ca32030dfe
SHA-256: 27427129bda85c81bd223f07dabbab46c7c36b1289a308873616655070546abb
Size: 9.45 kB
English