golang-1.18.9-1.el9, go-toolset-1.18.9-1.el9
エラータID: AXSA:2023-4904:01
リリース日:
2023/01/31 Tuesday - 07:47
題名:
golang-1.18.9-1.el9, go-toolset-1.18.9-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- golang の Reader モジュールの Read 関数には、対象とするファイル
のヘッダーの最大サイズを制限していない問題があるため、リモート
の攻撃者により、細工されたアーカイブファイルによる無制限のメモリ
割り当てを介して、リソースの枯渇およびパニックの発生を可能とする
脆弱性が存在します。(CVE-2022-2879)
- golang には、リバースプロキシから転送されたクエリを含むリクエスト
の Go プロキシの処理に問題があるため、リモートの攻撃者により、
net/http モジュールによって拒否された解析不能なパラメーターを含む
リクエストを介して、HTTP リクエストスマグリング攻撃を可能とする
脆弱性が存在します。(CVE-2022-2880)
- golang の regexp モジュールには、信頼できない情報元から入力された
正規表現をコンパイルする際に大量のメモリを消費してしまう問題が
あるため、リモートの攻撃者により、細工された正規表現の入力を介
して、メモリの枯渇とそれに起因するサービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2022-41715)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-2880
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
追加情報:
N/A
ダウンロード:
SRPMS
- golang-1.18.9-1.el9.src.rpm
MD5: fea24a94824f8b8dc2e12b1e58c42d16
SHA-256: eb7b8ee4c3381f60af1038bbf859bd91980e1d3bb31643bea3800395f996e3c7
Size: 21.65 MB - go-toolset-1.18.9-1.el9.src.rpm
MD5: 33be59f80e746ac997a5c73e83f49f63
SHA-256: 96ea154ab616f64fb4c834b55cfc0ee9cbc8f114ca0e3ed0fd86abc383094650
Size: 9.38 kB
Asianux Server 9 for x86_64
- golang-1.18.9-1.el9.x86_64.rpm
MD5: 54ea9e34d834c70d8b118da710feeccf
SHA-256: 24d95f22b255949e765fc1a475714ffbe55444df74b3cf876e0d3ae761c01b1c
Size: 615.08 kB - golang-bin-1.18.9-1.el9.x86_64.rpm
MD5: e8eebd1ce82f4c9b8e53c063d1896e18
SHA-256: 85f9c8b77ad61643150da88e66a954682bb389d6df5a8a6c946c964f1526af41
Size: 96.37 MB - golang-docs-1.18.9-1.el9.noarch.rpm
MD5: 0ac379c46b82c7c402fb7489be7e0176
SHA-256: 8a94e5c4969f3d6c2ab4a725e92c8c303cdf548b4fd4c80b59f2c7c8bcddafe5
Size: 98.42 kB - golang-misc-1.18.9-1.el9.noarch.rpm
MD5: f35cc344a99aa6650e06b589a3a4bb6d
SHA-256: baf234675f6902ff97e0e7bb006cffb1293a9d4db89590fa470b1836e0d1990e
Size: 775.36 kB - golang-race-1.18.9-1.el9.x86_64.rpm
MD5: c65976705663fa71372c63462e972cc8
SHA-256: fa63b6a4c874206d971098c9fb5a5ed40374d73599bc06e9d4ffd68f2b4c8b79
Size: 19.99 MB - golang-src-1.18.9-1.el9.noarch.rpm
MD5: a37dfda1c0f7e4bf63e0858759b11090
SHA-256: c18e909f7cc26d2fb6abafdb94225187dc73569d6c6c5830d3be80f5338e3394
Size: 8.23 MB - golang-tests-1.18.9-1.el9.noarch.rpm
MD5: 17790ee4ca46defb5bdd4da2657bbce1
SHA-256: 09fbe51ade1b93d55a64c9d9fa24122bf1c7d4fbba5b9701a32a1777a8180a65
Size: 7.38 MB - go-toolset-1.18.9-1.el9.x86_64.rpm
MD5: 19bbb504210ab8126e7d582aa51513a1
SHA-256: 23ddedd6c7a248b73669552f328a0e0a25c7727a15c77a441e528b6dfe6ab5ac
Size: 7.54 kB
English