Important: golang

Issue Overview:

2024-01-03: CVE-2021-27919 was added to this advisory.

An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS). (CVE-2021-27919)

A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)

An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (CVE-2021-41771)

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)

There’s an uncontrolled resource consumption flaw in golang’s net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http’s http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. (CVE-2021-44716)

There’s a flaw in golang’s syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). (CVE-2021-44717)

Affected Packages:

golang

Issue Correction:
Run yum update golang to update your system.

New Packages:

i686:  
    golang-shared-1.16.15-1.37.amzn1.i686  
    golang-1.16.15-1.37.amzn1.i686  
    golang-bin-1.16.15-1.37.amzn1.i686  
  
noarch:  
    golang-docs-1.16.15-1.37.amzn1.noarch  
    golang-tests-1.16.15-1.37.amzn1.noarch  
    golang-misc-1.16.15-1.37.amzn1.noarch  
    golang-src-1.16.15-1.37.amzn1.noarch  
  
src:  
    golang-1.16.15-1.37.amzn1.src  
  
x86_64:  
    golang-bin-1.16.15-1.37.amzn1.x86_64  
    golang-1.16.15-1.37.amzn1.x86_64  
    golang-race-1.16.15-1.37.amzn1.x86_64  
    golang-shared-1.16.15-1.37.amzn1.x86_64  

Additional References

Red Hat: CVE-2021-27919, CVE-2021-38297, CVE-2021-41771, CVE-2021-41772, CVE-2021-44716, CVE-2021-44717

Mitre: CVE-2021-27919, CVE-2021-38297, CVE-2021-41771, CVE-2021-41772, CVE-2021-44716, CVE-2021-44717