toolbox-0.0.99.3-10.el9
エラータID: AXSA:2023-6548:02
リリース日:
2023/10/26 Thursday - 11:36
題名:
toolbox-0.0.99.3-10.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の HTTP/2 クライアント機能には、接続先のサーバーに対して意図
しないリソースを消費させてしまう問題があるため、リモートの攻撃者
により、細工された Go アプリケーションからの新規の多重ストリーム
のリクエストと RST_STREAM フレームによるリクエストのキャンセル
の送信を介して、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性
が存在します。(CVE-2023-39325)
- HTTP/2 プロトコルには、意図しないリソースの消費に至る問題がある
ため、リモートの攻撃者により、新規の多重ストリームのリクエストと
RST_STREAM フレームによるリクエストのキャンセルの送信を介して、
サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性が存在します。
(CVE-2023-44487)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39325
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
追加情報:
N/A
ダウンロード:
SRPMS
- toolbox-0.0.99.3-10.el9.src.rpm
MD5: a2b018418327a2f9bfe8832616d2fab3
SHA-256: ee4d34dd1f9ac2b3cbb0a223eacbfdf4cb2cf5f558da4b8098984023da8db4f1
Size: 2.20 MB
Asianux Server 9 for x86_64
- toolbox-0.0.99.3-10.el9.x86_64.rpm
MD5: 3480d3f2358831809a38886854fde522
SHA-256: 5ad7cc09f26fcf87068a9fe7af828334d7b03c793038d527112b72883c0e469b
Size: 2.36 MB - toolbox-tests-0.0.99.3-10.el9.x86_64.rpm
MD5: 75f525e088c1e9305d68505100868b64
SHA-256: 87a5202913e7d2ccc4f2b910dee60f4e90834c53f89eda51b77dc21291f3ace0
Size: 32.71 kB