MGASA-2021-0475 - Updated golang packages fix security vulnerability Publication date: 13 Oct 2021 URL: https://advisories.mageia.org/MGASA-2021-0475.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-39293, CVE-2021-38297 The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. (CVE-2021-39293) A security issue has been found in go before version 1.17.2. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. (CVE-2021-38297) References: - https://bugs.mageia.org/show_bug.cgi?id=29526 - https://groups.google.com/g/golang-announce/c/dx9d7IOseHw - https://groups.google.com/g/golang-announce/c/7efr4VBoZIw - https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A - https://lists.opensuse.org/archives/list/[email protected]/thread/5EY52N4KALEDKULS6YHUPW2C7OJTGHTS/ - https://security.archlinux.org/CVE-2021-38297 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38297 SRPMS: - 8/core/golang-1.17.2-1.mga8