摘要:
golang security update
安全等级: High
公告ID: KylinSec-SA-2023-1988
发布日期: 2024年10月31日
The Go Programming Language.
Security Fix(es):
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.(CVE-2023-29400)
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.(CVE-2023-24539)
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\f\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.(CVE-2023-24540)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-29400 | KY3.4-4A | golang | Fixed |
| CVE-2023-29400 | KY3.4-5A | golang | Fixed |
| CVE-2023-29400 | KY3.5.1 | golang | Fixed |
| CVE-2023-29400 | KY3.5.2 | golang | Fixed |
| CVE-2023-24539 | KY3.4-4A | golang | Fixed |
| CVE-2023-24539 | KY3.4-5A | golang | Fixed |
| CVE-2023-24539 | KY3.5.1 | golang | Fixed |
| CVE-2023-24539 | KY3.5.2 | golang | Fixed |
| CVE-2023-24540 | KY3.4-4A | golang | Fixed |
| CVE-2023-24540 | KY3.4-5A | golang | Fixed |
| CVE-2023-24540 | KY3.5.1 | golang | Fixed |
| CVE-2023-24540 | KY3.5.2 | golang | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| golang-help | noarch | 1.17.3-19.kb1.ky3_5 |
| golang-devel | noarch | 1.17.3-19.kb1.ky3_5 |
| golang | x86_64 | 1.17.3-19.kb1.ky3_5 |
| golang | aarch64 | 1.17.3-19.kb1.ky3_5 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| golang-devel | noarch | 1.15.7-31.kb1.ky3_4 |
| golang-help | noarch | 1.15.7-31.kb1.ky3_4 |
| golang | x86_64 | 1.15.7-31.kb1.ky3_4 |
| golang | aarch64 | 1.15.7-31.kb1.ky3_4 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| golang-help | noarch | 1.15.7-31.kb1.ky3_4 |
| golang-devel | noarch | 1.15.7-31.kb1.ky3_4 |
| golang | x86_64 | 1.15.7-31.kb1.ky3_4 |
| golang | aarch64 | 1.15.7-31.kb1.ky3_4 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| golang-devel | noarch | 1.17.3-25.ky3_5.kb5 |
| golang-help | noarch | 1.17.3-25.ky3_5.kb5 |
| golang | x86_64 | 1.17.3-25.ky3_5.kb5 |
| golang | aarch64 | 1.17.3-25.ky3_5.kb5 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
