MGASA-2021-0018 - Updated golang packages fix security vulnerabilities Publication date: 10 Jan 2021 URL: https://advisories.mageia.org/MGASA-2021-0018.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-28366, CVE-2020-28367 An input validation vulnerability was found in go. From a generated go file (from the cgo tool) it is possible to modify symbols within that object file and specify code instead. An attacker could potentially use this flaw by creating a repository which included malicious pre-built object files that could execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28366). An input validation vulnerability was found in go. If cgo is specified in a go file, it is possible to bypass the validation of arguments to the gcc compiler. An attacker could potentially use this flaw by creating a malicious repository which would execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28367). References: - https://bugs.mageia.org/show_bug.cgi?id=27650 - https://lists.fedoraproject.org/archives/list/[email protected]/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28366 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28367 SRPMS: - 7/core/golang-1.13.15-3.mga7