[ALAS2-2022-1859] Amazon Linux 2 2017.12 - ALAS2-2022-1859: important priority package update for golang-github-gorilla-context
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2022-32148:
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
CVE-2022-30635:
A flaw was found in golang. When calling Decoder.Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
CVE-2022-30633:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the any field tag.
CVE-2022-30632:
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
CVE-2022-30631:
A flaw was found in golang. Calling the Reader.Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
CVE-2022-30630:
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
CVE-2022-30629:
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-29526:
A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
CVE-2022-28327:
An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
CVE-2022-28131:
A flaw was found in golang encoding/xml. When calling Decoder.Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
CVE-2022-27664:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191:
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.
CVE-2022-24675:
A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB) ), causing a stack overflow in Decode, which leads to a loss of availability.
CVE-2022-1962:
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
CVE-2022-1705:
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
Package | Affected Version |
---|---|
pkg:rpm/amazonlinux/golang-github-gorilla-context-devel?arch=x86_64&distro=amazonlinux-2 | < 0-0.24.gitb06ed15.amzn2.0.4 |
pkg:rpm/amazonlinux/golang-github-gorilla-context-devel?arch=aarch64&distro=amazonlinux-2 | < 0-0.24.gitb06ed15.amzn2.0.4 |
- ID
- ALAS2-2022-1859
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2022-1859.html
- Published
-
2022-10-17T21:46:00
(23 months ago) - Modified
-
2023-05-11T16:17:00
(16 months ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALAS-2022-1635
- ALAS-2023-1825
- ALAS2-2022-1807
- ALAS2-2022-1830
- ALAS2-2022-1846
- ALAS2-2022-1847
- ALAS2-2022-1851
- ALAS2-2022-1858
- ALAS2-2022-1860
- ALAS2-2022-1861
- ALAS2-2022-1862
- ALAS2-2022-1863
- ALAS2-2022-1864
- ALAS2-2022-1865
- ALAS2-2023-2238
- ALPINE:CVE-2022-1705
- ALPINE:CVE-2022-1962
- ALPINE:CVE-2022-24675
- ALPINE:CVE-2022-27191
- ALPINE:CVE-2022-27664
- ALPINE:CVE-2022-28131
- ALPINE:CVE-2022-28327
- ALPINE:CVE-2022-29526
- ALPINE:CVE-2022-30629
- ALPINE:CVE-2022-30630
- ALPINE:CVE-2022-30631
- ALPINE:CVE-2022-30632
- ALPINE:CVE-2022-30633
- ALPINE:CVE-2022-30635
- ALPINE:CVE-2022-32148
- ALSA-2022:5775
- ALSA-2022:5799
- ALSA-2022:7129
- ALSA-2022:7469
- ALSA-2022:7519
- ALSA-2022:7529
- ALSA-2022:7648
- ALSA-2022:7954
- ALSA-2022:8008
- ALSA-2022:8057
- ALSA-2022:8098
- ALSA-2022:8250
- ALSA-2023:2167
- ALSA-2023:2177
- ALSA-2023:2193
- ALSA-2023:2204
- ALSA-2023:2236
- ALSA-2023:2253
- ALSA-2023:2282
- ALSA-2023:2283
- ALSA-2023:2357
- ALSA-2023:2367
- ALSA-2023:2758
- ALSA-2023:2780
- ALSA-2023:2784
- ALSA-2023:2785
- ALSA-2023:2802
- ALSA-2024:0121
- ALSA-2024:2180
- ELSA-2022-14844
- ELSA-2022-17956
- ELSA-2022-23681
- ELSA-2022-24267
- ELSA-2022-5337
- ELSA-2022-5775
- ELSA-2022-5799
- ELSA-2022-7129
- ELSA-2022-7457
- ELSA-2022-7469
- ELSA-2022-7519
- ELSA-2022-7529
- ELSA-2022-7648
- ELSA-2022-7954
- ELSA-2022-8008
- ELSA-2022-8057
- ELSA-2022-8250
- ELSA-2023-18908
- ELSA-2023-2167
- ELSA-2023-2177
- ELSA-2023-2204
- ELSA-2023-2253
- ELSA-2023-2282
- ELSA-2023-2283
- ELSA-2023-2357
- ELSA-2023-2367
- ELSA-2023-2758
- ELSA-2023-2780
- ELSA-2023-2784
- ELSA-2023-2785
- ELSA-2023-2802
- ELSA-2024-0121
- ELSA-2024-2180
- FEDORA-2022-08ae2dd481
- FEDORA-2022-13ad572b5a
- FEDORA-2022-14712f9699
- FEDORA-2022-30c5ed5625
- FEDORA-2022-3969b64d4b
- FEDORA-2022-3a63897745
- FEDORA-2022-3e1ade35db
- FEDORA-2022-45097317b4
- FEDORA-2022-4a48180f3f
- FEDORA-2022-4b5537c44c
- FEDORA-2022-5038c3236c
- FEDORA-2022-53e0f427dd
- FEDORA-2022-53f0c619c5
- FEDORA-2022-5cbd6de569
- FEDORA-2022-5e637f6cc6
- FEDORA-2022-5ef0bd9a27
- FEDORA-2022-6716cd0da2
- FEDORA-2022-67ec8c61d0
- FEDORA-2022-739c7a0058
- FEDORA-2022-741325e9a0
- FEDORA-2022-8bf5635efc
- FEDORA-2022-9986fbb3d7
- FEDORA-2022-9a9a638d09
- FEDORA-2022-a49babed75
- FEDORA-2022-a4c9009f3e
- FEDORA-2022-b0bd0219ff
- FEDORA-2022-ba365d3703
- FEDORA-2022-c0f780ecf1
- FEDORA-2022-c87047f163
- FEDORA-2022-d37fb34309
- FEDORA-2022-e46e6e8317
- FEDORA-2022-e674d52438
- FEDORA-2022-ea8f4e232d
- FEDORA-2022-fae3ecee19
- FEDORA-2022-ffe7dba2cb
- FEDORA-2023-e8c27ba884
- FEDORA-2024-80e062d21a
- FEDORA-2024-9cc0e0c63e
- FEDORA-2024-d652859efb
- FREEBSD:15888C7E-E659-11EC-B7FE-10C37B4AC2EA
- FREEBSD:61BCE714-CA0C-11EC-9CFC-10C37B4AC2EA
- FREEBSD:6FEA7103-2EA4-11ED-B403-3DAE8AC60D3E
- FREEBSD:A1360138-D446-11EC-8EA1-10C37B4AC2EA
- FREEBSD:A4F2416C-02A0-11ED-B817-10C37B4AC2EA
- GLSA-202208-02
- GLSA-202209-26
- GO-2021-0356
- GO-2022-0433
- GO-2022-0435
- GO-2022-0493
- GO-2022-0515
- GO-2022-0520
- GO-2022-0521
- GO-2022-0522
- GO-2022-0523
- GO-2022-0524
- GO-2022-0525
- GO-2022-0526
- GO-2022-0527
- GO-2022-0531
- GO-2022-0969
- MS:CVE-2022-1705
- MS:CVE-2022-1962
- MS:CVE-2022-24675
- MS:CVE-2022-27664
- MS:CVE-2022-28131
- MS:CVE-2022-28327
- MS:CVE-2022-29526
- MS:CVE-2022-30629
- MS:CVE-2022-30630
- MS:CVE-2022-30631
- MS:CVE-2022-30632
- MS:CVE-2022-30633
- MS:CVE-2022-30635
- MS:CVE-2022-32148
- RHSA-2022:5337
- RHSA-2022:5775
- RHSA-2022:5799
- RHSA-2022:7129
- RHSA-2022:7457
- RHSA-2022:7469
- RHSA-2022:7519
- RHSA-2022:7529
- RHSA-2022:7648
- RHSA-2022:7954
- RHSA-2022:8008
- RHSA-2022:8057
- RHSA-2022:8098
- RHSA-2022:8250
- RHSA-2023:0328
- RHSA-2023:0446
- RHSA-2023:2167
- RHSA-2023:2177
- RHSA-2023:2193
- RHSA-2023:2204
- RHSA-2023:2236
- RHSA-2023:2253
- RHSA-2023:2282
- RHSA-2023:2283
- RHSA-2023:2357
- RHSA-2023:2367
- RHSA-2023:2758
- RHSA-2023:2780
- RHSA-2023:2784
- RHSA-2023:2785
- RHSA-2023:2802
- RHSA-2024:0121
- RHSA-2024:2180
- RLSA-2022:5337
- RLSA-2022:5775
- RLSA-2022:7129
- RLSA-2022:7457
- RLSA-2022:7469
- RLSA-2022:7519
- RLSA-2022:7529
- RLSA-2022:7648
- RLSA-2022:8057
- RLSA-2022:8098
- RLSA-2022:8250
- SUSE-SU-2022:1410-1
- SUSE-SU-2022:1411-1
- SUSE-SU-2022:1507-1
- SUSE-SU-2022:1689-1
- SUSE-SU-2022:1829-1
- SUSE-SU-2022:1862-1
- SUSE-SU-2022:2004-1
- SUSE-SU-2022:2005-1
- SUSE-SU-2022:2671-1
- SUSE-SU-2022:2672-1
- SUSE-SU-2022:2834-1
- SUSE-SU-2022:2839-1
- SUSE-SU-2022:2839-2
- SUSE-SU-2022:3325-1
- SUSE-SU-2022:3326-1
- SUSE-SU-2022:4409-1
- SUSE-SU-2022:4463-1
- SUSE-SU-2023:2183-1
- SUSE-SU-2023:2185-1
- SUSE-SU-2023:2187-1
- SUSE-SU-2023:2312-1
- SUSE-SU-2023:2575-1
- SUSE-SU-2023:2578-1
- SUSE-SU-2023:2579-1
- SUSE-SU-2024:0191-1
- SUSE-SU-2024:0196-1
- USN-6038-1
- USN-6038-2
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/golang-github-gorilla-context-devel?arch=x86_64&distro=amazonlinux-2 | amazonlinux | golang-github-gorilla-context-devel | < 0-0.24.gitb06ed15.amzn2.0.4 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/golang-github-gorilla-context-devel?arch=aarch64&distro=amazonlinux-2 | amazonlinux | golang-github-gorilla-context-devel | < 0-0.24.gitb06ed15.amzn2.0.4 | amazonlinux-2 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |