go-toolset:rhel8 security and bug fix update
エラータID: AXSA:2023-6201:01
リリース日:
2023/07/03 Monday - 05:07
題名:
go-toolset:rhel8 security and bug fix update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go には、TLS ハンドシェイクレコードが大きい場合に応答を構築しよう
とするとサーバーとクライアントでそれぞれパニックを引き起こす問題が
あるため、リモートの攻撃者により、大きな TLS ハンドシェイクレコード
の送信を介して、サービス拒否 (システムクラッシュ) 状態を引き起こす
ことを可能とする脆弱性が存在します。(CVE-2022-41724)
- Go には、net/http および mime/multipart での過剰なリソース消費の
問題があるため、リモートの攻撃者により、巧妙なリクエストの送信を
介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-41725)
Modularity name: go-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-41724
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
CVE-2022-41725
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.9.1-1.module+el8+1634+52d7b65f.src.rpm
MD5: db0b78beacc07b6dd52fdc37e4d6e1c6
SHA-256: afee7270d73f57c4bdb10730777e8fcfd800991715a38393945c725a0955e2ae
Size: 8.69 MB - golang-1.19.6-1.module+el8+1634+52d7b65f.src.rpm
MD5: b163960c07df17fb18ea81392efb641c
SHA-256: c8de9d89fe75dc6310df391716bba3e961eff99c09b69850cbd62eb52b0d9aa0
Size: 25.07 MB - go-toolset-1.19.6-1.module+el8+1634+52d7b65f.src.rpm
MD5: 8a97504cb7a7912c1be5c29e6d891e6f
SHA-256: e3e55ffdb6ea103a82a6f65bc1d28afb057db688558ed97fdd36072faa571c46
Size: 14.42 kB
Asianux Server 8 for x86_64
- delve-1.9.1-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: 62d85f34fd91cea4f1df9536d5f06461
SHA-256: 5703ca7f1cd7a8604da6fa4cc4a0ff4f4ce5f78646adf7948a1ae21f631040e5
Size: 4.33 MB - delve-debugsource-1.9.1-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: 26f3a6d8c3304f3256e0fabde594de32
SHA-256: 1b29545aafd013e7ddf2dac10554567266ddbb50a4622337dd8e1c12d8c348d5
Size: 0.99 MB - golang-1.19.6-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: c1dc8a58f819327892089d8db35a5396
SHA-256: 73f93d2634500e53ea42138fe039056f352b13753c2f472d29f113b715c2d8b3
Size: 654.42 kB - golang-bin-1.19.6-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: 954daaadf2085931b06d06089b676fa4
SHA-256: 24c852656e6d7baa950cea556305d587037ab75f2eba72796301e57b0a413876
Size: 106.95 MB - golang-docs-1.19.6-1.module+el8+1634+52d7b65f.noarch.rpm
MD5: c089b9ee149a84322c0fcefb084dde84
SHA-256: eea3e2ff726c3b8bcd084a1d677a3d28ea850c64843fe3b35b2735faf55f5e57
Size: 116.99 kB - golang-misc-1.19.6-1.module+el8+1634+52d7b65f.noarch.rpm
MD5: c717682b2e737ba1e54756b2a61b0c69
SHA-256: 692390e05b1cdd7270e574e946e8c06f6bb22937a8517d63bc4658f6540b05a3
Size: 235.69 kB - golang-race-1.19.6-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: 3546ab99851c45f0d964a6662d4e9b42
SHA-256: dc9296eede14d7fdd7947b40aff8ad6a9705ddf0a2f5d09a461c2f5ddd77a30a
Size: 21.43 MB - golang-src-1.19.6-1.module+el8+1634+52d7b65f.noarch.rpm
MD5: ef23fdb894c466824ddf300ba35270e3
SHA-256: 5a2df70f883737cefe6030e536f70d23e792a68fb10e9b875b0260bfed6be55b
Size: 12.30 MB - golang-tests-1.19.6-1.module+el8+1634+52d7b65f.noarch.rpm
MD5: 66f716820d63ec06964dd9430403b0a2
SHA-256: 40fdb9614ccae900a5bb0700a00110dfec7b8713880b6b681d76a57b5ab68678
Size: 8.11 MB - go-toolset-1.19.6-1.module+el8+1634+52d7b65f.x86_64.rpm
MD5: 4ec9a74f9688803ec313a747443a4ead
SHA-256: 5ed8cd4e393643556cb9f216ad09adee631112507083d757604ed095a0cf9014
Size: 12.55 kB
English