git-lfs-3.2.0-2.el8
エラータID: AXSA:2023-5956:02
リリース日:
2023/06/09 Friday - 07:25
題名:
git-lfs-3.2.0-2.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- golang には、リバースプロキシから転送されたクエリを含むリクエスト
の Go プロキシの処理に問題があるため、リモートの攻撃者により、
net/http モジュールによって拒否された解析不能なパラメーターを含む
リクエストを介して、HTTP リクエストスマグリング攻撃を可能とする
脆弱性が存在します。(CVE-2022-2880)
- golang の regexp モジュールには、信頼できない情報元から入力された
正規表現をコンパイルする際に大量のメモリを消費してしまう問題がある
ため、リモートの攻撃者により、細工された正規表現の入力を介して、
メモリの枯渇とそれに起因するサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2022-41715)
- golang の net/http ライブラリには、大量のメモリを消費してしまう問題
があるため、リモートの攻撃者により、細工した HTTP/2 リクエストの
送信を介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-41717)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-2880
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
CVE-2022-41717
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
追加情報:
N/A
ダウンロード:
SRPMS
- git-lfs-3.2.0-2.el8.src.rpm
MD5: 31d2f407bb2f68bf428e5d14d6295cd2
SHA-256: 62b36d3b846cb5cacfe4819f850f86fc346b1bbf078c6b02bc7e5f8dad83ff84
Size: 3.07 MB
Asianux Server 8 for x86_64
- git-lfs-3.2.0-2.el8.x86_64.rpm
MD5: b8d3c4632f309df131d1ad2c8bae5425
SHA-256: 83a09ce1e0ad18cdf40bc2bb3d31ff2dc225e76bc4577f65c5a187dbb5878949
Size: 4.00 MB
English