go-toolset:rhel8 security update
エラータID: AXSA:2023-6520:01
リリース日:
2023/10/20 Friday - 07:10
題名:
go-toolset:rhel8 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の HTTP/2 クライアント機能には、接続先のサーバーに対して意図
しないリソースを消費させてしまう問題があるため、リモートの攻撃者
により、細工された Go アプリケーションからの新規の多重ストリームの
リクエストと RST_STREAM フレームによるリクエストのキャンセルの
送信を介して、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性が
存在します。(CVE-2023-39325)
- HTTP/2 プロトコルには、意図しないリソースの消費に至る問題がある
ため、リモートの攻撃者により、新規の多重ストリームのリクエストと
RST_STREAM フレームによるリクエストのキャンセルの送信を介して、
サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性が存在します。
(CVE-2023-44487)
Modularity name: go-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39325
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.9.1-1.module+el8+1671+be44a916.src.rpm
MD5: e285cca1609fa9969bdbfd4f48dacdcf
SHA-256: 76085b000fe50e7e8b3985cfe37a7d8aff1faa74117e2f9d2b4b99652af617f1
Size: 8.69 MB - golang-1.19.13-1.module+el8+1671+be44a916.src.rpm
MD5: b182709ad7686e285494f12134eb3b1c
SHA-256: d9a3b2c6ad8c8f546728325e24fbe524c8b45116059dbc98a1e6171df4f79d5c
Size: 25.11 MB - go-toolset-1.19.13-1.module+el8+1671+be44a916.src.rpm
MD5: 9fa98e7fb5df2055f9ad4fdaa4516fb4
SHA-256: 528fa33493fe6f2b592b24eaccbb2e30bb43ef0e46a595dd6475bef7386ae50b
Size: 14.81 kB
Asianux Server 8 for x86_64
- delve-1.9.1-1.module+el8+1671+be44a916.x86_64.rpm
MD5: 0cdc1cc783ab2c477b3914ca2d7c08e5
SHA-256: db621ae63e27e12275b3fdf7440726222ce375a358aa1527937753c58ef0f16f
Size: 4.33 MB - delve-debugsource-1.9.1-1.module+el8+1671+be44a916.x86_64.rpm
MD5: 6c7afe055d631b960820d0f0fe5c5991
SHA-256: a4e2e86193ec9af2894ea47bbff1df60fec96740e3cc691a39415ef2fe0238bd
Size: 0.99 MB - golang-1.19.13-1.module+el8+1671+be44a916.x86_64.rpm
MD5: c180d20234cb40c7359b306ae29c0091
SHA-256: 51ed2fed51e473f2b14636b0e99cc49e546958060461fd0489f62dc654d7ff9d
Size: 654.92 kB - golang-bin-1.19.13-1.module+el8+1671+be44a916.x86_64.rpm
MD5: e83112a6c825bfe84e8c99d5d88f7663
SHA-256: e9321b3cbeac9009a38eabe1b608838de840c554e971ad32de3340b575aab437
Size: 107.07 MB - golang-docs-1.19.13-1.module+el8+1671+be44a916.noarch.rpm
MD5: dfa103a2a294b8452c6651026a74c171
SHA-256: 02100c410633b9c7e506fec8ac97ceca390d655e4137c5fb1fa23a5a1cfdc62e
Size: 117.44 kB - golang-misc-1.19.13-1.module+el8+1671+be44a916.noarch.rpm
MD5: 35464508faca9718afe5e6550ff48ef8
SHA-256: 86069c1287519ecd87a3df14dd73f3e458ed67ddb99ece0b0dcd6ac3b73b6314
Size: 236.15 kB - golang-race-1.19.13-1.module+el8+1671+be44a916.x86_64.rpm
MD5: 7a152996342a56fe0db559a47cfb36ba
SHA-256: d91e62e601c4fbea61eea7144d7cceb6457695908f576f06a49af77c229936da
Size: 21.45 MB - golang-src-1.19.13-1.module+el8+1671+be44a916.noarch.rpm
MD5: 1cba750e783dd7b439f6e097b0037df5
SHA-256: 64e83f241348364768d46d35cb699b499146fcfb64e70f2558df7a4710caf0d4
Size: 12.31 MB - golang-tests-1.19.13-1.module+el8+1671+be44a916.noarch.rpm
MD5: 3bd4b7ce2ef346e223c679fabd96477c
SHA-256: bdcfac0d29cf03dd89ba4a406c947a3287237c2fd111a157398e849e37626b85
Size: 8.12 MB - go-toolset-1.19.13-1.module+el8+1671+be44a916.x86_64.rpm
MD5: 63cbc61e692a918e84f1b1ec1f0551d2
SHA-256: 3493ff1bd8589c8db70ef7ff0b84bc45dee7f13ff8437af0dad203765bc1daa8
Size: 12.88 kB
English