go-toolset:rhel8 security update
エラータID: AXSA:2024-7550:01
リリース日:
2024/02/27 Tuesday - 17:56
題名:
go-toolset:rhel8 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/http エンコーディングリーダーのチャンク拡張機能
の処理には、最大 1 GiByte の本文のよりも大きいデータの読み
取りを許容してしまう問題があるため、リモートの攻撃者により、
細工された大量のデータの送信を介して、サービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2023-39326)
- Go の cmd/go には、"https://" もしくは ”git+ssh://" プロトコル
を利用できない場合、"git://" プロトコル経由でのモジュールの
取得にフォールバックしてしまう問題があるため、リモートの
攻撃者により、".git" サフィックスが付加されたモジュールの
取得を介して、不正なモジュールの取得と実行を可能とする
脆弱性が存在します。(CVE-2023-45285)
Modularity name: go-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.20.2-1.module+el8+1726+bcceb995.src.rpm
MD5: 70a406d55ff3c92dd2d603ce5e9b054b
SHA-256: 8448d44407b8db8f0139d99aa2619295a3e11c6357e20f0f2ea783a8964317ca
Size: 8.73 MB - golang-1.20.12-2.module+el8+1726+bcceb995.src.rpm
MD5: f60ff1ce78aebe40ac0f2ec1a89d2d44
SHA-256: b3117f20c82b7c717c9f6cc9d3ac6362efb17ccd65f660fe9185505c165c6079
Size: 24.77 MB - go-toolset-1.20.12-1.module+el8+1726+bcceb995.src.rpm
MD5: b423fccaf69ed54a644c915919373963
SHA-256: 07575e1abc1fb7f6078d68761b58469c6979a3ab4416ee7253c5f3e104617d91
Size: 15.01 kB
Asianux Server 8 for x86_64
- delve-1.20.2-1.module+el8+1726+bcceb995.x86_64.rpm
MD5: f1ace769535047fedb4aebf1efd12eca
SHA-256: 6ad01578f2c0323dc3651f62017cec8763d597a91b8ddad7ec4a258670392e5e
Size: 4.36 MB - delve-debugsource-1.20.2-1.module+el8+1726+bcceb995.x86_64.rpm
MD5: e45f5a19d0bab58c506afec3c7df4c22
SHA-256: 97d43abc72c1bdd5764ea271b871ed16e2fb461a15407feb5aaadbaba8f56e72
Size: 0.99 MB - golang-1.20.12-2.module+el8+1726+bcceb995.x86_64.rpm
MD5: 6067352de75513125bde5c17125eef01
SHA-256: 40587924d9006ee94f223bf9c842baacc0daa4cfe32dd473da4b6801810204bf
Size: 684.97 kB - golang-bin-1.20.12-2.module+el8+1726+bcceb995.x86_64.rpm
MD5: 0ebadd0450dcde82b370262f2053208f
SHA-256: 7ab9d82a8d4e3f8dd25285979cd69e46f9c3d416c2b46d9e40be55a2ec71c54e
Size: 65.11 MB - golang-docs-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
MD5: 1f0a06d1a62106f7b543fe0a6cd5be27
SHA-256: decf7239241404f3c89ee3cd42d6d5119d9403e2660161302fa04061e1ca4ff6
Size: 134.40 kB - golang-misc-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
MD5: 97ce6796c10218efb41f5266e467b2c6
SHA-256: 2b112559f884b7d297c7818c3f89865b3b397b5d817a5218768172f7c64596eb
Size: 238.51 kB - golang-src-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
MD5: 1bcd1ebff32bf22e248f8bf1dc335881
SHA-256: a4ee8a58413ff3f4243a3ec1fe994d5573edc47bd380fb1eac526f2b30e751be
Size: 11.79 MB - golang-tests-1.20.12-2.module+el8+1726+bcceb995.noarch.rpm
MD5: 7729a7a6cf4649acd00225996988da53
SHA-256: 16222cf1b02de019dca93cbdd4c6aad6d4a6442143518e2fa892e80ebe0e4c5e
Size: 8.20 MB - go-toolset-1.20.12-1.module+el8+1726+bcceb995.x86_64.rpm
MD5: 796105814bf05fc7ee8002d128e9bf54
SHA-256: 19cafe209e6d6f82f5c50dc60971e33dc53c891973fcd55b5fe805abb13cf5ea
Size: 13.04 kB