Amazon Linux 2 Security Advisory: ALAS-2021-1609
Advisory Release Date: 2021-02-19 01:24 Pacific
Advisory Updated Date: 2021-02-19 22:02 Pacific
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. (CVE-2021-3114)
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). (CVE-2021-3115)
Affected Packages:
golang
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update golang to update your system.
aarch64:
golang-1.15.8-1.amzn2.0.1.aarch64
golang-bin-1.15.8-1.amzn2.0.1.aarch64
noarch:
golang-docs-1.15.8-1.amzn2.0.1.noarch
golang-misc-1.15.8-1.amzn2.0.1.noarch
golang-tests-1.15.8-1.amzn2.0.1.noarch
golang-src-1.15.8-1.amzn2.0.1.noarch
src:
golang-1.15.8-1.amzn2.0.1.src
x86_64:
golang-1.15.8-1.amzn2.0.1.x86_64
golang-bin-1.15.8-1.amzn2.0.1.x86_64
golang-race-1.15.8-1.amzn2.0.1.x86_64