delve-1.21.2-2.el9, golang-1.21.9-2.el9
エラータID: AXSA:2024-7759:01
delve:
Delve is a debugger for the Go programming language. The goal of the project is to provide a simple, full featured debugging tool for Go. Delve should be easy to invoke and easy to use. Chances are if you're using a debugger, things aren't going your way. With that in mind, Delve should stay out of your way as much as possible.
golang:
The Go Programming Language.
Security Fix(es):
golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Update packages.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
N/A
SRPMS
- delve-1.21.2-2.el9.src.rpm
MD5: 4e2b940e6d2ecbd8061a9615d115e312
SHA-256: 5b17bc90ed98e8d7dffec3d6909bfd52b98e32c257320efb4b0a89607b531026
Size: 8.96 MB - golang-1.21.9-2.el9.src.rpm
MD5: c2fa8d1af14fe8f2e47443dcb877df05
SHA-256: 27671a4e76fe8b204ffdf5450af9a8206f108437a6781804c97c6cecb7c48fee
Size: 25.71 MB
Asianux Server 9 for x86_64
- delve-1.21.2-2.el9.x86_64.rpm
MD5: 656bc4c2fa0ee5c342c0c2653025261f
SHA-256: 47d529e5240e6e2632bb7f59c433a51ebcbc35a4da4b0d4397039836046e4560
Size: 4.59 MB - golang-1.21.9-2.el9.x86_64.rpm
MD5: f93ac06cdb68630f096c646aa9975166
SHA-256: 3938ea6aca82430271c5a4614f3ef651cb0a49e6dae2147e1362aa6f88b103c5
Size: 659.60 kB - golang-bin-1.21.9-2.el9.x86_64.rpm
MD5: 585151f060a038fead19eecc672718ff
SHA-256: 3a5969665a45136a5ec34af7ee6eb70dd3667e2fad7fb92941b554720bc0742e
Size: 55.66 MB - golang-docs-1.21.9-2.el9.noarch.rpm
MD5: f1b14be39f227079c1fa9bf1dbe3df6f
SHA-256: 20ef9cd44fae5e48e4ea5104be449be864c2fca53b39652be536a8c229ef6436
Size: 97.05 kB - golang-misc-1.21.9-2.el9.noarch.rpm
MD5: 2e237ba5428d900c9ead90784e0d8767
SHA-256: 79e4ae1b6b3643d89714455eef3da85de72e409dc23f8427d59389bb64c910c2
Size: 46.14 kB - golang-src-1.21.9-2.el9.noarch.rpm
MD5: 50352eb0efd7bbb28ab529dbc835caa7
SHA-256: a8fa4763076dc73b971a062c6995a58703557c0d909e0b2d7c113d7e1418e902
Size: 11.36 MB - golang-tests-1.21.9-2.el9.noarch.rpm
MD5: 4bb32f900bb6eb8fee7d84a731fc31e3
SHA-256: 556d139006bdb5250bfea7480b905ae07b25543d05eaae0d93c0ecbf0ed735dd
Size: 8.14 MB - go-toolset-1.21.9-2.el9.x86_64.rpm
MD5: 0cec3c633c9ce9410dd92df8396a856c
SHA-256: 5bf42b61cdc4c2bc9d646bf97df1beb88ce552a3796504ff52f1afc52959203f
Size: 9.58 kB