AlmaLinuxALSA-2022:5799Important: go-toolset and golang security and bug fix update
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
56.2%
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
The golang packages provide the Go programming language compiler.
Security Fix(es):
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es): - Clean up dist-git patches (BZ#2109174)
- Update Go to version 1.17.12 (BZ#2109183)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| almalinux | 9 | noarch | golang-src | < 1.17.12-1.el9_0 | golang-src-1.17.12-1.el9_0.noarch.rpm |
| almalinux | 9 | noarch | golang-tests | < 1.17.12-1.el9_0 | golang-tests-1.17.12-1.el9_0.noarch.rpm |
| almalinux | 9 | noarch | golang-misc | < 1.17.12-1.el9_0 | golang-misc-1.17.12-1.el9_0.noarch.rpm |
| almalinux | 9 | ppc64le | golang | < 1.17.12-1.el9_0 | golang-1.17.12-1.el9_0.ppc64le.rpm |
| almalinux | 9 | ppc64le | golang-bin | < 1.17.12-1.el9_0 | golang-bin-1.17.12-1.el9_0.ppc64le.rpm |
| almalinux | 9 | noarch | golang-docs | < 1.17.12-1.el9_0 | golang-docs-1.17.12-1.el9_0.noarch.rpm |
| almalinux | 9 | aarch64 | golang | < 1.17.12-1.el9_0 | golang-1.17.12-1.el9_0.aarch64.rpm |
| almalinux | 9 | aarch64 | golang-bin | < 1.17.12-1.el9_0 | golang-bin-1.17.12-1.el9_0.aarch64.rpm |
| almalinux | 9 | s390x | golang | < 1.17.12-1.el9_0 | golang-1.17.12-1.el9_0.s390x.rpm |
| almalinux | 9 | s390x | golang-bin | < 1.17.12-1.el9_0 | golang-bin-1.17.12-1.el9_0.s390x.rpm |
References
access.redhat.com/errata/RHSA-2022:5799
access.redhat.com/security/cve/CVE-2022-1705
access.redhat.com/security/cve/CVE-2022-1962
access.redhat.com/security/cve/CVE-2022-28131
access.redhat.com/security/cve/CVE-2022-30630
access.redhat.com/security/cve/CVE-2022-30631
access.redhat.com/security/cve/CVE-2022-30632
access.redhat.com/security/cve/CVE-2022-30633
access.redhat.com/security/cve/CVE-2022-30635
access.redhat.com/security/cve/CVE-2022-32148
bugzilla.redhat.com/2107342
bugzilla.redhat.com/2107371
bugzilla.redhat.com/2107374
bugzilla.redhat.com/2107376
bugzilla.redhat.com/2107383
bugzilla.redhat.com/2107386
bugzilla.redhat.com/2107388
bugzilla.redhat.com/2107390
bugzilla.redhat.com/2107392
errata.almalinux.org/9/ALSA-2022-5799.html
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
56.2%