ALAS-2024-733

Amazon Linux 2023 Security Advisory: ALAS-2024-733
Advisory Release Date: 2024-10-10 03:02 Pacific
Advisory Updated Date: 2024-10-14 16:00 Pacific

Severity: Important

References: CVE-2024-34155 CVE-2024-34156 CVE-2024-34158
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. (CVE-2024-34155)

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. (CVE-2024-34156)

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. (CVE-2024-34158)

Affected Packages:

golang

Issue Correction:
Run dnf update golang --releasever 2023.6.20241010 to update your system.

New Packages:

aarch64:
    golang-bin-1.22.7-1.amzn2023.0.1.aarch64
    golang-1.22.7-1.amzn2023.0.1.aarch64
    golang-shared-1.22.7-1.amzn2023.0.1.aarch64

noarch:
    golang-misc-1.22.7-1.amzn2023.0.1.noarch
    golang-docs-1.22.7-1.amzn2023.0.1.noarch
    golang-src-1.22.7-1.amzn2023.0.1.noarch
    golang-tests-1.22.7-1.amzn2023.0.1.noarch

src:
    golang-1.22.7-1.amzn2023.0.1.src

x86_64:
    golang-bin-1.22.7-1.amzn2023.0.1.x86_64
    golang-shared-1.22.7-1.amzn2023.0.1.x86_64
    golang-1.22.7-1.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2024-34155, CVE-2024-34156, CVE-2024-34158

Mitre: CVE-2024-34155, CVE-2024-34156, CVE-2024-34158

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-733

Additional References