ALAS-2022-193

References: CVE-2021-33196  CVE-2021-38297  CVE-2021-41771  CVE-2021-41772  CVE-2021-44716  CVE-2021-44717  CVE-2022-1705  CVE-2022-1962  CVE-2022-1996  CVE-2022-24675  CVE-2022-27191  CVE-2022-27664  CVE-2022-28131  CVE-2022-28327  CVE-2022-29526  CVE-2022-30629  CVE-2022-30630  CVE-2022-30631  CVE-2022-30632  CVE-2022-30633  CVE-2022-30635  CVE-2022-32148  CVE-2022-32189  CVE-2022-32190 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. (CVE-2022-1705)

A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability. (CVE-2022-1962)

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

A flaw was found in golang encoding/xml. When calling Decoder.Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. (CVE-2022-28131)

A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability. (CVE-2022-30630)

A flaw was found in golang. Calling the Reader.Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion. (CVE-2022-30631)

A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability. (CVE-2022-30632)

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the any field tag. (CVE-2022-30633)

A flaw was found in golang. When calling Decoder.Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. (CVE-2022-30635)

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. (CVE-2022-32148)

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Issue Correction:
Run dnf update golang --releasever=2022.0.20221102 to update your system.

New Packages:

aarch64:
    golang-1.19.1-1.amzn2022.0.2.aarch64
    golang-shared-1.19.1-1.amzn2022.0.2.aarch64
    golang-bin-1.19.1-1.amzn2022.0.2.aarch64

noarch:
    golang-docs-1.19.1-1.amzn2022.0.2.noarch
    golang-misc-1.19.1-1.amzn2022.0.2.noarch
    golang-src-1.19.1-1.amzn2022.0.2.noarch
    golang-tests-1.19.1-1.amzn2022.0.2.noarch

src:
    golang-1.19.1-1.amzn2022.0.2.src

x86_64:
    golang-1.19.1-1.amzn2022.0.2.x86_64
    golang-shared-1.19.1-1.amzn2022.0.2.x86_64
    golang-bin-1.19.1-1.amzn2022.0.2.x86_64
    golang-race-1.19.1-1.amzn2022.0.2.x86_64