Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2023-1871

Related Vulnerabilities: CVE-2023-39323   CVE-2023-39325   CVE-2023-44487  

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. (CVE-2023-39323) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-39325) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Source

ALAS-2023-1871

Amazon Linux 1 Security Advisory: ALAS-2023-1871
Advisory Release Date: 2023-10-16 13:45 Pacific
Advisory Updated Date: 2023-10-18 20:09 Pacific
Severity: Important
Issue Overview:

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. (CVE-2023-39323)

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-39325)

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)


Affected Packages:

golang


Issue Correction:
Run yum update golang to update your system.

New Packages:
i686:
    golang-shared-1.20.10-1.48.amzn1.i686
    golang-bin-1.20.10-1.48.amzn1.i686
    golang-1.20.10-1.48.amzn1.i686

noarch:
    golang-misc-1.20.10-1.48.amzn1.noarch
    golang-docs-1.20.10-1.48.amzn1.noarch
    golang-src-1.20.10-1.48.amzn1.noarch
    golang-tests-1.20.10-1.48.amzn1.noarch

src:
    golang-1.20.10-1.48.amzn1.src

x86_64:
    golang-shared-1.20.10-1.48.amzn1.x86_64
    golang-1.20.10-1.48.amzn1.x86_64
    golang-bin-1.20.10-1.48.amzn1.x86_64

Additional References

Red Hat: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487

Mitre: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started