Red Hat Product Errata RHSA-2024:3259 - Security Advisory
Issued:
2024-05-22
Updated:
2024-05-22

RHSA-2024:3259 - Security Advisory

Synopsis

Important: go-toolset:rhel8 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

  • golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
  • golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
  • golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
  • golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
  • golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
  • golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
  • BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
  • BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
  • BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
  • BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
  • BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

Red Hat Enterprise Linux for x86_64 8

SRPM
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.src.rpm SHA-256: 637205623447c123177ae1e10d01e05550910b3ec623d98ff7a8c5166339da0c
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: 969e1a64f8fff9acca41dc97df41809040debf45a37c2872cb6e2e04c12ba219
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: f2bf7c9f0109048c7bfca987b1297c8fa4e40cd45d87552f626126a8caa82046
x86_64
golang-docs-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: cb0a574e0eee4a71dea62e3b00ad8808d3739461c5676f5d9d11c469e05b96fe
golang-misc-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 9095549fec7891b1826d4fbab76e319499c19b44851baf205ad085b0fbc22f79
golang-src-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: bd4f1285c3c76567dfeeaffb74cc3a061e01ac66e8efc4185ae112fc51e77056
golang-tests-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 562b38e5e9347789b569f83605294d444d663f8b8cf92ad75376b7845e93cb7c
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.x86_64.rpm SHA-256: 9b22c683cd9dc0099b16045377b5ea58dd901e184af45ae7a8e04f71f8fada52
delve-debuginfo-1.21.2-3.module+el8.10.0+21244+5b2d9000.x86_64.rpm SHA-256: 80c91d6087bb38ce47b81e33e53b3e0b83e7dcdf20b2feddef595247495f0c4f
delve-debugsource-1.21.2-3.module+el8.10.0+21244+5b2d9000.x86_64.rpm SHA-256: eb865db6882f0368989efaa1ac0111f3fd2d7f42dd7bf6f459ab57dd5767c0b3
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.x86_64.rpm SHA-256: 255a4f69caed17bc3be2edfd2dc446bce8ad06e51a82b65a15582e710b2dd844
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.x86_64.rpm SHA-256: 62746d25788c806888492dcf0227174f6fe5d1b54f9154fd28135f91f560cb53
golang-bin-1.21.9-1.module+el8.10.0+21671+b35c3b78.x86_64.rpm SHA-256: 505818a232c0424fd1774e33cd7cae1172c49b348ab4084c45c58eb937c40a87

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: 969e1a64f8fff9acca41dc97df41809040debf45a37c2872cb6e2e04c12ba219
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: f2bf7c9f0109048c7bfca987b1297c8fa4e40cd45d87552f626126a8caa82046
s390x
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.s390x.rpm SHA-256: 56d2f0a4addd14b5f94d4eb3b1528b9949fba38049e0e9810bd9d23fdc490e79
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.s390x.rpm SHA-256: 5ab41a5059fbdb30a15627731b9ea63af8166dcab047d45ec938cc2d25c8bbd3
golang-bin-1.21.9-1.module+el8.10.0+21671+b35c3b78.s390x.rpm SHA-256: f03a93e51fb52044b7626fab08dc00bb75b8dd65c7856ac6cd7ca1b5eb15f162
golang-docs-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: cb0a574e0eee4a71dea62e3b00ad8808d3739461c5676f5d9d11c469e05b96fe
golang-misc-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 9095549fec7891b1826d4fbab76e319499c19b44851baf205ad085b0fbc22f79
golang-src-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: bd4f1285c3c76567dfeeaffb74cc3a061e01ac66e8efc4185ae112fc51e77056
golang-tests-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 562b38e5e9347789b569f83605294d444d663f8b8cf92ad75376b7845e93cb7c

Red Hat Enterprise Linux for Power, little endian 8

SRPM
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.src.rpm SHA-256: 637205623447c123177ae1e10d01e05550910b3ec623d98ff7a8c5166339da0c
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: 969e1a64f8fff9acca41dc97df41809040debf45a37c2872cb6e2e04c12ba219
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: f2bf7c9f0109048c7bfca987b1297c8fa4e40cd45d87552f626126a8caa82046
ppc64le
golang-docs-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: cb0a574e0eee4a71dea62e3b00ad8808d3739461c5676f5d9d11c469e05b96fe
golang-misc-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 9095549fec7891b1826d4fbab76e319499c19b44851baf205ad085b0fbc22f79
golang-src-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: bd4f1285c3c76567dfeeaffb74cc3a061e01ac66e8efc4185ae112fc51e77056
golang-tests-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 562b38e5e9347789b569f83605294d444d663f8b8cf92ad75376b7845e93cb7c
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.ppc64le.rpm SHA-256: 71e6ee56072620ffcb52e9f4ac9bcaacff663a9bb23997b8ef186ed9839a2a2d
delve-debuginfo-1.21.2-3.module+el8.10.0+21244+5b2d9000.ppc64le.rpm SHA-256: 854b0a46f76b764d06cb5d17bb85fe1b165c1b91f141cd6ef8ab0e890b076d5b
delve-debugsource-1.21.2-3.module+el8.10.0+21244+5b2d9000.ppc64le.rpm SHA-256: b09a34d0bb1f782deda4abd981f1af69a74cfcdd81b1eadca738d2c8ad1bf61b
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.ppc64le.rpm SHA-256: e9844d554307f02746313e7c294053eee34920b6a987566d871d1cc5004acfa3
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.ppc64le.rpm SHA-256: 845dc20a5ed0f5b45908f3daed582b3905f0bc7bd2ad2b0e05b4b0f8b5cbd705
golang-bin-1.21.9-1.module+el8.10.0+21671+b35c3b78.ppc64le.rpm SHA-256: dcf62671e8b7f2e8f265c58349ea844599937a86fe5f1fe6ecad3e3883f400ea

Red Hat Enterprise Linux for ARM 64 8

SRPM
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.src.rpm SHA-256: 637205623447c123177ae1e10d01e05550910b3ec623d98ff7a8c5166339da0c
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: 969e1a64f8fff9acca41dc97df41809040debf45a37c2872cb6e2e04c12ba219
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.src.rpm SHA-256: f2bf7c9f0109048c7bfca987b1297c8fa4e40cd45d87552f626126a8caa82046
aarch64
golang-docs-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: cb0a574e0eee4a71dea62e3b00ad8808d3739461c5676f5d9d11c469e05b96fe
golang-misc-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 9095549fec7891b1826d4fbab76e319499c19b44851baf205ad085b0fbc22f79
golang-src-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: bd4f1285c3c76567dfeeaffb74cc3a061e01ac66e8efc4185ae112fc51e77056
golang-tests-1.21.9-1.module+el8.10.0+21671+b35c3b78.noarch.rpm SHA-256: 562b38e5e9347789b569f83605294d444d663f8b8cf92ad75376b7845e93cb7c
delve-1.21.2-3.module+el8.10.0+21244+5b2d9000.aarch64.rpm SHA-256: f942a3b8613ee40be5b4aa976962376365b46824ec97d78601a30c5a1ce3b732
delve-debuginfo-1.21.2-3.module+el8.10.0+21244+5b2d9000.aarch64.rpm SHA-256: 3c78033f988fce55daf22a90f5dd34e6b26bdd2dca7eb74c2f60dde967c4b624
delve-debugsource-1.21.2-3.module+el8.10.0+21244+5b2d9000.aarch64.rpm SHA-256: 39de98e8a330369ea84b45ed39745d4b460b9bf2efc3fb3050f3597c9d4ce543
go-toolset-1.21.9-1.module+el8.10.0+21671+b35c3b78.aarch64.rpm SHA-256: d41e2b2ef9e683ca15c0247d930b7ce682574769760eb1a0420f7cea08b5ace0
golang-1.21.9-1.module+el8.10.0+21671+b35c3b78.aarch64.rpm SHA-256: e2f59eba212b6177e5d36081f68bb76f5b3a7a8b075f8b2e475117d74fde6b2d
golang-bin-1.21.9-1.module+el8.10.0+21671+b35c3b78.aarch64.rpm SHA-256: e1f288353bc86d5425d68e0cf8dd02bfa7de2daa8c46f07be9303cb21838a5b6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.