go-toolset:rhel8 security update
エラータID: AXSA:2024-7720:01
リリース日:
2024/04/25 Thursday - 15:43
題名:
go-toolset:rhel8 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の HTTP/2 プロトコルスタックには、CONTINUATION
フレームのサイズ制限の不備により任意のサイズのヘッダー
の読み取りを許容してしまう問題があるため、リモートの
攻撃者により、ヘッダー部にハフマン圧縮されたデータを
含むように細工された大量の CONTINUATION フレームの
送信を介して、サービス拒否攻撃 (リソース枯渇) を可能と
する脆弱性が存在します。(CVE-2023-45288)
Modularity name: go-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.20.2-1.module+el8+1746+c846cbb7.src.rpm
MD5: 3b0d2ee8214cd2b9a5e964b4226e5240
SHA-256: 368c4492004c647d2820979590dddb1322eb1b73ffb9a59fd6f52dcb28ce4bbb
Size: 8.73 MB - golang-1.20.12-8.module+el8+1746+c846cbb7.src.rpm
MD5: 3c9d6979da7459155684e34130e0e467
SHA-256: af295d637f9ad05095cf98ef87af624107f974a9ff384c5612ac8fcdf90fc6fb
Size: 24.77 MB - go-toolset-1.20.12-1.module+el8+1746+c846cbb7.src.rpm
MD5: b3f68ff5c18cc3ec906ce1c4466e6d95
SHA-256: da60873b8c8562003324e9b6c42b2442457d2c9d369e003165a5f158130cfaa6
Size: 15.01 kB
Asianux Server 8 for x86_64
- delve-1.20.2-1.module+el8+1746+c846cbb7.x86_64.rpm
MD5: c0feba6b01026c3d3e472337094ad985
SHA-256: bfdf11ae5aaac1ba5055005d0d614e70b3a122bb88ef8f28bf569bc69e40d8ae
Size: 4.36 MB - delve-debugsource-1.20.2-1.module+el8+1746+c846cbb7.x86_64.rpm
MD5: 25697d11dd5779f92ef0c704f2ff251d
SHA-256: af17bac0d01e3fd857aea349cede37d0e1b9dc19fa07e668d423402da108fc28
Size: 0.99 MB - golang-1.20.12-8.module+el8+1746+c846cbb7.x86_64.rpm
MD5: e880f142a0a71569e97f2d4ab0562fa2
SHA-256: f35d1b2cf48df5ee45889ea7538ec8f11ca1df398d4c89c47b51c91166e97835
Size: 685.41 kB - golang-bin-1.20.12-8.module+el8+1746+c846cbb7.x86_64.rpm
MD5: b7ab304f4f8ca81288c7e33192a05c15
SHA-256: ea6c12d21e044ee195664121687ea6a7e63f04d5958da65b5499a38418191a7e
Size: 65.12 MB - golang-docs-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
MD5: 2922ff84ac27901da1cfffc872db4082
SHA-256: 0a1cff06864e5fe023bf2b1924e195e0ce05e86c2f7a7e14c35c83444eb2eb7a
Size: 134.67 kB - golang-misc-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
MD5: e6427c6442e89df2c7e3c603503f2bad
SHA-256: f2b1279b8f4fe27bcd803af8460c911bb847b9bd103d141522db618ad2dba125
Size: 238.78 kB - golang-src-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
MD5: 144665e0e1d9fca7a34e44741ae63c70
SHA-256: f7f3c2f50ee788643d1045399d9919e55f159b19aa8fbc556ad354829860febb
Size: 11.79 MB - golang-tests-1.20.12-8.module+el8+1746+c846cbb7.noarch.rpm
MD5: 1af6a29412955a6fb7fa0cd300096cbe
SHA-256: 9586fc9a012719d1f5ce3b81b416686b7260caa80ba90bc26dcc9911f6b29206
Size: 8.20 MB - go-toolset-1.20.12-1.module+el8+1746+c846cbb7.x86_64.rpm
MD5: 8da301815d26c3d46f6b70ca5f746989
SHA-256: be8ed10ba72a86b7ba869adbb7533af1ccbd9b09d5f6c4986252616ec4a4ff67
Size: 13.04 kB