What Are You Looking For?

Sign Up
MGASA-2022-0171 - Updated golang packages fix security vulnerability

Publication date: 12 May 2022
URL: https://advisories.mageia.org/MGASA-2022-0171.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-24675,
     CVE-2022-28327

encoding/pem: fix stack overflow in Decode. A large (more than 5 MB) PEM
input can cause a stack overflow in Decode, leading the program to crash
(CVE-2022-24675)

crypto/elliptic: tolerate all oversized scalars in generic P-256.  A
crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
(CVE-2022-28327)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30362
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327

SRPMS:
- 8/core/golang-1.17.9-1.mga8

Mageia 2022-0171: golang security update

encoding/pem: fix stack overflow in Decode

Summary

encoding/pem: fix stack overflow in Decode. A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash (CVE-2022-24675)
crypto/elliptic: tolerate all oversized scalars in generic P-256. A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. (CVE-2022-28327)

References

- https://bugs.mageia.org/show_bug.cgi?id=30362

- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327

Resolution

MGASA-2022-0171 - Updated golang packages fix security vulnerability

SRPMS

- 8/core/golang-1.17.9-1.mga8

Severity
Publication date: 12 May 2022
URL: https://advisories.mageia.org/MGASA-2022-0171.html
Type: security
CVE: CVE-2022-24675, CVE-2022-28327

Related News

CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so

Oct 19, 2023

Mitigations for Critical c-ares DoS, Code Execution Bug Released

Sep 29, 2023

Linux Malware! Read This If You Use Free Download Manager

Sep 13, 2023

Critical BusyBox Stack Overflow Vuln Fixed

Sep 22, 2023

News

Advisories

HOWTOs

Features

Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses

About Us

Powered By

Footer Logo