Amazon Linux 2 Security Advisory: ALAS-2024-2643
Advisory Release Date: 2024-09-25 22:07 Pacific
Advisory Updated Date: 2024-10-02 14:30 Pacific
Severity:
Important
References:
CVE-2024-34155
CVE-2024-34156
CVE-2024-34158
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. (CVE-2024-34155)
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. (CVE-2024-34156)
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. (CVE-2024-34158)
Affected Packages:
golang
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update golang to update your system.
New Packages:
aarch64:
golang-1.22.7-1.amzn2.0.1.aarch64
golang-bin-1.22.7-1.amzn2.0.1.aarch64
golang-shared-1.22.7-1.amzn2.0.1.aarch64
noarch:
golang-docs-1.22.7-1.amzn2.0.1.noarch
golang-misc-1.22.7-1.amzn2.0.1.noarch
golang-tests-1.22.7-1.amzn2.0.1.noarch
golang-src-1.22.7-1.amzn2.0.1.noarch
src:
golang-1.22.7-1.amzn2.0.1.src
x86_64:
golang-1.22.7-1.amzn2.0.1.x86_64
golang-bin-1.22.7-1.amzn2.0.1.x86_64
golang-shared-1.22.7-1.amzn2.0.1.x86_64