[ALAS-2023-1760] Amazon Linux AMI 2014.03 - ALAS-2023-1760: important priority package update for golang

Severity Important

Affected Packages 11

CVEs 3

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29400:
html/template: improper handling of empty HTML attributes.

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

CVE-2023-24540:
html/template: improper handling of JavaScript whitespace.

Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVE-2023-24539:
html/template: improper sanitization of CSS values

Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.

Package	Affected Version
pkg:rpm/amazonlinux/golang?arch=x86_64&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang?arch=i686&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-tests?arch=noarch&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-src?arch=noarch&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-shared?arch=x86_64&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-shared?arch=i686&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-race?arch=x86_64&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-misc?arch=noarch&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-docs?arch=noarch&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-bin?arch=x86_64&distro=amazonlinux-1	< 1.18.6-1.44.amzn1
pkg:rpm/amazonlinux/golang-bin?arch=i686&distro=amazonlinux-1	< 1.18.6-1.44.amzn1

ID

ALAS-2023-1760

Severity

important

URL

https://alas.aws.amazon.com/ALAS-2023-1760.html

Published

2023-06-05T16:39:00
(15 months ago)

Modified

2023-06-08T23:39:00
(15 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2023-24539	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24539
CVE	CVE-2023-24540	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540
CVE	CVE-2023-29400	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29400

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/golang?arch=x86_64&distro=amazonlinux-1	amazonlinux	golang	< 1.18.6-1.44.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/golang?arch=i686&distro=amazonlinux-1	amazonlinux	golang	< 1.18.6-1.44.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/golang-tests?arch=noarch&distro=amazonlinux-1	amazonlinux	golang-tests	< 1.18.6-1.44.amzn1	amazonlinux-1	noarch
Affected	pkg:rpm/amazonlinux/golang-src?arch=noarch&distro=amazonlinux-1	amazonlinux	golang-src	< 1.18.6-1.44.amzn1	amazonlinux-1	noarch
Affected	pkg:rpm/amazonlinux/golang-shared?arch=x86_64&distro=amazonlinux-1	amazonlinux	golang-shared	< 1.18.6-1.44.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/golang-shared?arch=i686&distro=amazonlinux-1	amazonlinux	golang-shared	< 1.18.6-1.44.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/golang-race?arch=x86_64&distro=amazonlinux-1	amazonlinux	golang-race	< 1.18.6-1.44.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/golang-misc?arch=noarch&distro=amazonlinux-1	amazonlinux	golang-misc	< 1.18.6-1.44.amzn1	amazonlinux-1	noarch
Affected	pkg:rpm/amazonlinux/golang-docs?arch=noarch&distro=amazonlinux-1	amazonlinux	golang-docs	< 1.18.6-1.44.amzn1	amazonlinux-1	noarch
Affected	pkg:rpm/amazonlinux/golang-bin?arch=x86_64&distro=amazonlinux-1	amazonlinux	golang-bin	< 1.18.6-1.44.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/golang-bin?arch=i686&distro=amazonlinux-1	amazonlinux	golang-bin	< 1.18.6-1.44.amzn1	amazonlinux-1	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date