Amazon Linux 2022 Security Advisory: ALAS-2022-009
Advisory Release Date: 2022-01-25 10:52 Pacific
Advisory Updated Date: 2022-01-26 21:43 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. (CVE-2021-33196)
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. (CVE-2021-44716)
There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). (CVE-2021-44717)
Affected Packages:
golang
Issue Correction:
Run dnf update --releasever=2022.0.20220125 golang to update your system.
aarch64:
golang-1.16.13-1.amzn2022.aarch64
golang-bin-1.16.13-1.amzn2022.aarch64
golang-shared-1.16.13-1.amzn2022.aarch64
noarch:
golang-docs-1.16.13-1.amzn2022.noarch
golang-misc-1.16.13-1.amzn2022.noarch
golang-src-1.16.13-1.amzn2022.noarch
golang-tests-1.16.13-1.amzn2022.noarch
src:
golang-1.16.13-1.amzn2022.src
x86_64:
golang-1.16.13-1.amzn2022.x86_64
golang-race-1.16.13-1.amzn2022.x86_64
golang-shared-1.16.13-1.amzn2022.x86_64
golang-bin-1.16.13-1.amzn2022.x86_64