Amazon Linux 2022 Security Advisory: ALAS-2021-007
Advisory Release Date: 2021-12-17 20:59 Pacific
Advisory Updated Date: 2021-12-17 22:31 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (CVE-2021-41771)
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)
Affected Packages:
golang
Issue Correction:
Run dnf update --releasever=2022.0.20211217 golang to update your system.
aarch64:
golang-1.16.10-1.amzn2022.aarch64
golang-bin-1.16.10-1.amzn2022.aarch64
golang-shared-1.16.10-1.amzn2022.aarch64
noarch:
golang-docs-1.16.10-1.amzn2022.noarch
golang-misc-1.16.10-1.amzn2022.noarch
golang-src-1.16.10-1.amzn2022.noarch
golang-tests-1.16.10-1.amzn2022.noarch
src:
golang-1.16.10-1.amzn2022.src
x86_64:
golang-1.16.10-1.amzn2022.x86_64
golang-shared-1.16.10-1.amzn2022.x86_64
golang-race-1.16.10-1.amzn2022.x86_64
golang-bin-1.16.10-1.amzn2022.x86_64