{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"golang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for golang is now available for openEuler-24.03-LTS", "category":"general", "title":"Summary" }, { "text":".\n\nSecurity Fix(es):\n\nA malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.(CVE-2023-39326)\n\nThe HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.(CVE-2024-45336)\n\nA certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.(CVE-2024-45341)", "category":"general", "title":"Description" }, { "text":"An update for golang is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"golang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1223", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223" }, { "summary":"CVE-2023-39326", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-39326&packageName=golang" }, { "summary":"CVE-2024-45336", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45336&packageName=golang" }, { "summary":"CVE-2024-45341", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45341&packageName=golang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39326" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45336" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45341" }, { "summary":"openEuler-SA-2025-1223 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1223.json" } ], "title":"An update for golang is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2025-03-04T15:58:31+08:00", "revision_history":[ { "date":"2025-03-04T15:58:31+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-03-04T15:58:31+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-03-04T15:58:31+08:00", "id":"openEuler-SA-2025-1223", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"golang-1.21.4-31.oe2403.aarch64.rpm", "name":"golang-1.21.4-31.oe2403.aarch64.rpm" }, "name":"golang-1.21.4-31.oe2403.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"golang-1.21.4-31.oe2403.src.rpm", "name":"golang-1.21.4-31.oe2403.src.rpm" }, "name":"golang-1.21.4-31.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"golang-1.21.4-31.oe2403.x86_64.rpm", "name":"golang-1.21.4-31.oe2403.x86_64.rpm" }, "name":"golang-1.21.4-31.oe2403.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"golang-devel-1.21.4-31.oe2403.noarch.rpm", "name":"golang-devel-1.21.4-31.oe2403.noarch.rpm" }, "name":"golang-devel-1.21.4-31.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"golang-help-1.21.4-31.oe2403.noarch.rpm", "name":"golang-help-1.21.4-31.oe2403.noarch.rpm" }, "name":"golang-help-1.21.4-31.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"golang-1.21.4-31.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "name":"golang-1.21.4-31.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"golang-1.21.4-31.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "name":"golang-1.21.4-31.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"golang-1.21.4-31.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "name":"golang-1.21.4-31.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"golang-devel-1.21.4-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "name":"golang-devel-1.21.4-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"golang-help-1.21.4-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch", "name":"golang-help-1.21.4-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-39326", "notes":[ { "text":"A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-39326" }, { "cve":"CVE-2024-45336", "notes":[ { "text":"The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-45336" }, { "cve":"CVE-2024-45341", "notes":[ { "text":"A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.aarch64", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.src", "openEuler-24.03-LTS:golang-1.21.4-31.oe2403.x86_64", "openEuler-24.03-LTS:golang-devel-1.21.4-31.oe2403.noarch", "openEuler-24.03-LTS:golang-help-1.21.4-31.oe2403.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-45341" } ] }