Vulmon
Amazon Linux 2 Security Advisory: ALAS-2021-1609
Advisory Release Date: 2021-02-19 01:24 Pacific
Advisory Updated Date: 2021-02-19 22:02 Pacific
Severity:
Medium
Issue Overview:
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. (CVE-2021-3114)
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). (CVE-2021-3115)
Affected Packages:
golang
Issue Correction:
Run yum update golang to update your system.
New Packages:
aarch64:
golang-1.15.8-1.amzn2.0.1.aarch64
golang-bin-1.15.8-1.amzn2.0.1.aarch64
noarch:
golang-docs-1.15.8-1.amzn2.0.1.noarch
golang-misc-1.15.8-1.amzn2.0.1.noarch
golang-tests-1.15.8-1.amzn2.0.1.noarch
golang-src-1.15.8-1.amzn2.0.1.noarch
src:
golang-1.15.8-1.amzn2.0.1.src
x86_64:
golang-1.15.8-1.amzn2.0.1.x86_64
golang-bin-1.15.8-1.amzn2.0.1.x86_64
golang-race-1.15.8-1.amzn2.0.1.x86_64