| Summary: | golang new security issue CVE-2023-45288 (HTTP/2 CONTINUATION Flood) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.mageia.org/show_bug.cgi?id=33076 https://bugs.mageia.org/show_bug.cgi?id=33087 |
||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | golang-1.21.7-1.1.mga9.src.rpm | CVE: | CVE-2023-45288 |
| Status comment: | Fixed upstream in 1.21.9 | ||
|
Description
Nicolas Salguero
2024-04-09 10:13:01 CEST
Nicolas Salguero
2024-04-09 10:13:25 CEST
CVE:
(none) =>
CVE-2023-45288 Assigning to Stig who normally maintains Golang. Assignee:
bugsquad =>
smelror
Lewis Smith
2024-04-09 22:04:22 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=33076
Nicolas Salguero
2024-04-10 16:00:57 CEST
Blocks:
(none) =>
33087
Nicolas Salguero
2024-04-10 16:27:33 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=33087
Nicolas Salguero
2024-04-10 16:28:09 CEST
Blocks:
33087 =>
(none) Advisory ======== Golang has been updated to version 1.21.9 to fix CVE-2023-45288. CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. References ========== https://www.openwall.com/lists/oss-security/2024/04/05/4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288 Files ===== Uploaded to core/updates_testing golang-misc-1.21.9-1.mga9 golang-docs-1.21.9-1.mga9 golang-1.21.9-1.mga9 golang-tests-1.21.9-1.mga9 golang-src-1.21.9-1.mga9 golang-bin-1.21.9-1.mga9 golang-shared-1.21.9-1.mga9 from golang-1.21.9-1.mga9.src.rpm Assignee:
smelror =>
qa-bugs Mageia9, x64 $ rpm -qa | grep golang golang-src-1.21.7-1.1.mga9 golang-bin-1.21.7-1.1.mga9 golang-1.21.7-1.1.mga9 golang-misc-1.21.7-1.1.mga9 golang-docs-1.21.7-1.1.mga9 golang-tests-1.21.7-1.1.mga9 golang-shared-1.21.7-1.1.mga9 Ran the update via qarepo etc without issues. $ rpm -q golang golang-1.21.9-1.mga9 A docker rebuild is the standard way to test golang but have hit a snag. Cannot access svn, at all, not even svn up from mgaadvisories. CC:
(none) =>
tarazed25
katnatek
2024-04-12 20:55:49 CEST
Keywords:
(none) =>
advisory SVN back in action. Checked out docker and followed the usual recipe and built current docker without a hitch. Along the way another 366 golang components were hauled in. In docker build directory, $ cd RPMS/x86_64 $ ls docker-24.0.5-5.mga9.x86_64.rpm docker-devel-24.0.5-5.mga9.x86_64.rpm docker-fish-completion-24.0.5-5.mga9.x86_64.rpm docker-logrotate-24.0.5-5.mga9.x86_64.rpm docker-nano-24.0.5-5.mga9.x86_64.rpm docker-zsh-completion-24.0.5-5.mga9.x86_64.rpm For comparison; $ rpm -q docker docker-24.0.5-4.mga9 So it looks like it is ahead of the curve. Anyway, golang passes with flying colours. Whiteboard:
(none) =>
MGA64-OK
Len Lawrence
2024-04-12 22:23:55 CEST
Whiteboard:
MGA64-OK =>
MGA9-64-OK Thank you, Len. Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0128.html Status:
NEW =>
RESOLVED |