Medium: golang

Issue Overview:

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. (CVE-2022-23772)

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. (CVE-2022-23773)

A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource. (CVE-2022-23806)

Affected Packages:

golang

Issue Correction:
Run yum update golang to update your system.

New Packages:

i686:  
    golang-bin-1.16.15-1.38.amzn1.i686  
    golang-shared-1.16.15-1.38.amzn1.i686  
    golang-1.16.15-1.38.amzn1.i686  
  
noarch:  
    golang-tests-1.16.15-1.38.amzn1.noarch  
    golang-src-1.16.15-1.38.amzn1.noarch  
    golang-docs-1.16.15-1.38.amzn1.noarch  
    golang-misc-1.16.15-1.38.amzn1.noarch  
  
src:  
    golang-1.16.15-1.38.amzn1.src  
  
x86_64:  
    golang-bin-1.16.15-1.38.amzn1.x86_64  
    golang-race-1.16.15-1.38.amzn1.x86_64  
    golang-shared-1.16.15-1.38.amzn1.x86_64  
    golang-1.16.15-1.38.amzn1.x86_64  

Additional References

Red Hat: CVE-2022-23772, CVE-2022-23773, CVE-2022-23806

Mitre: CVE-2022-23772, CVE-2022-23773, CVE-2022-23806