{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"golang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for golang is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"The Go Programming Language\n\nSecurity Fix(es):\n\nAn attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.(CVE-2022-41717)", "category":"general", "title":"Description" }, { "text":"An update for golang is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"golang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2023-1081", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1081" }, { "summary":"CVE-2022-41717", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-41717&packageName=golang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41717" }, { "summary":"openEuler-SA-2023-1081 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2023/csaf-openeuler-sa-2023-1081.json" } ], "title":"An update for golang is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2023-02-10T14:15:17+08:00", "revision_history":[ { "date":"2023-02-10T14:15:17+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T14:15:17+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T14:15:17+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T14:15:17+08:00", "id":"openEuler-SA-2023-1081", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"golang-1.15.7-23.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"golang-1.15.7-23.oe1.aarch64.rpm" }, "name":"golang-1.15.7-23.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"golang-devel-1.15.7-23.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"golang-devel-1.15.7-23.oe1.noarch.rpm" }, "name":"golang-devel-1.15.7-23.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"golang-help-1.15.7-23.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"golang-help-1.15.7-23.oe1.noarch.rpm" }, "name":"golang-help-1.15.7-23.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"golang-1.15.7-23.oe1.src.rpm(20.03-LTS-SP1)", "name":"golang-1.15.7-23.oe1.src.rpm" }, "name":"golang-1.15.7-23.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"golang-1.15.7-23.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"golang-1.15.7-23.oe1.x86_64.rpm" }, "name":"golang-1.15.7-23.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"golang-1.15.7-23.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.aarch64", "name":"golang-1.15.7-23.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"golang-devel-1.15.7-23.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:golang-devel-1.15.7-23.oe1.noarch", "name":"golang-devel-1.15.7-23.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"golang-help-1.15.7-23.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:golang-help-1.15.7-23.oe1.noarch", "name":"golang-help-1.15.7-23.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"golang-1.15.7-23.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.src", "name":"golang-1.15.7-23.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"golang-1.15.7-23.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.x86_64", "name":"golang-1.15.7-23.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-41717", "notes":[ { "text":"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.aarch64", "openEuler-20.03-LTS-SP1:golang-devel-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-help-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.src", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.aarch64", "openEuler-20.03-LTS-SP1:golang-devel-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-help-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.src", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1081" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.aarch64", "openEuler-20.03-LTS-SP1:golang-devel-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-help-1.15.7-23.oe1.noarch", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.src", "openEuler-20.03-LTS-SP1:golang-1.15.7-23.oe1.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-41717" } ] }