An update for golang is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1223 Final 1.0 1.0 2025-02-28 Initial 2025-02-28 2025-02-28 openEuler SA Tool V1.0 2025-02-28 golang security update An update for golang is now available for openEuler-24.03-LTS . Security Fix(es): A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.(CVE-2023-39326) The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.(CVE-2024-45336) A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.(CVE-2024-45341) An update for golang is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium golang https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-39326 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45336 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45341 https://nvd.nist.gov/vuln/detail/CVE-2023-39326 https://nvd.nist.gov/vuln/detail/CVE-2024-45336 https://nvd.nist.gov/vuln/detail/CVE-2024-45341 openEuler-24.03-LTS golang-1.21.4-31.oe2403.aarch64.rpm golang-1.21.4-31.oe2403.src.rpm golang-1.21.4-31.oe2403.x86_64.rpm golang-devel-1.21.4-31.oe2403.noarch.rpm golang-help-1.21.4-31.oe2403.noarch.rpm A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. 2025-02-28 CVE-2023-39326 openEuler-24.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N golang security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223 The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. 2025-02-28 CVE-2024-45336 openEuler-24.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N golang security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223 A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. 2025-02-28 CVE-2024-45341 openEuler-24.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N golang security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1223