197 lines
13 KiB
XML
197 lines
13 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2023-1386</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2023-07-01</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2023-07-01</InitialReleaseDate>
|
|
<CurrentReleaseDate>2023-07-01</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2023-07-01</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">golang security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">The Go Programming Language.
|
|
|
|
Security Fix(es):
|
|
|
|
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).(CVE-2023-29402)
|
|
|
|
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.(CVE-2023-29404)
|
|
|
|
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.(CVE-2023-29405)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.
|
|
|
|
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Critical</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">golang</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1386</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-29402</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-29404</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-29405</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-29402</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-29404</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-29405</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">golang-1.15.7-28.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">golang-1.15.7-28.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">golang-1.17.3-19.oe2203.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">golang-1.17.3-19.oe2203sp1.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="golang-help-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">golang-help-1.15.7-28.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-devel-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">golang-devel-1.15.7-28.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-devel-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">golang-devel-1.15.7-28.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-help-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">golang-help-1.15.7-28.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-devel-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">golang-devel-1.17.3-19.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-help-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">golang-help-1.17.3-19.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-devel-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">golang-devel-1.17.3-19.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-help-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">golang-help-1.17.3-19.oe2203sp1.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">golang-1.15.7-28.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">golang-1.15.7-28.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">golang-1.17.3-19.oe2203.src.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">golang-1.17.3-19.oe2203sp1.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">golang-1.15.7-28.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.15.7-28" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">golang-1.15.7-28.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">golang-1.17.3-19.oe2203.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="golang-1.17.3-19" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">golang-1.17.3-19.oe2203sp1.x86_64.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via go get , are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-07-01</ReleaseDate>
|
|
<CVE>CVE-2023-29402</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Critical</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>9.8</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>golang security update</Description>
|
|
<DATE>2023-07-01</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1386</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">The go command may execute arbitrary code at build time when using cgo. This may occur when running go get on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a #cgo LDFLAGS directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-07-01</ReleaseDate>
|
|
<CVE>CVE-2023-29404</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Critical</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>9.8</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>golang security update</Description>
|
|
<DATE>2023-07-01</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1386</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">The go command may execute arbitrary code at build time when using cgo. This may occur when running go get on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-07-01</ReleaseDate>
|
|
<CVE>CVE-2023-29405</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Critical</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>9.8</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>golang security update</Description>
|
|
<DATE>2023-07-01</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1386</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |