MGASA-2024-0217 - Updated golang packages fix security vulnerabilities

Publication date: 14 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0217.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-24789,
     CVE-2024-24790

The archive/zip package's handling of certain types of invalid zip files
differs from the behavior of most zip implementations. This misalignment
could be exploited to create an zip file with contents that vary
depending on the implementation reading the file. The archive/zip
package now rejects files containing these errors. (CVE-2024-24789)
The various Is methods (IsPrivate, IsLoopback, etc) did not work as
expected for IPv4-mapped IPv6 addresses, returning false for addresses
which would return true in their traditional IPv4 forms.
(CVE-2024-24790)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33269
- https://www.openwall.com/lists/oss-security/2024/06/04/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790

SRPMS:
- 9/core/golang-1.21.11-1.mga9

Mageia 2024-0217: golang Security Advisory Updates

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations

Summary

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. (CVE-2024-24789) The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. (CVE-2024-24790)

References

- https://bugs.mageia.org/show_bug.cgi?id=33269

- https://www.openwall.com/lists/oss-security/2024/06/04/1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790

Resolution

MGASA-2024-0217 - Updated golang packages fix security vulnerabilities

SRPMS

- 9/core/golang-1.21.11-1.mga9

Severity
Publication date: 14 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0217.html
Type: security
CVE: CVE-2024-24789, CVE-2024-24790

Related News

1.Penguin Landscape Esm H170
2 - 4 min read
As digital privacy and security evolves, anonymity cannot be overemphasized. Tails is a live operating system designed to keep its focus on privacy
32.Lock Code Circular Esm H170
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its
6.EmailConnection Touch Esm H170
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
20.Lock AbstractDigital Circular Esm H170
2 - 3 min read
Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other
20.Lock AbstractDigital Circular Esm H170
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server (apache2) impacting versions
24.Key Code Esm H170
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
8.Locks HexConnections CodeGlobe Esm H170
2 - 4 min read
A new backdoor, "Noodle RAT" has caused widespread alarm across the cybersecurity landscape. Research highlights this previously undisclosed malware
30.Lock Globe Motherboard Esm H170
3 - 5 min read
An update to OpenSSH , an open-source implementation of the Secure Shell (SSH) protocol, will introduce options to penalize unwanted behavior and

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved