Explore top 10 tips to secure your open-source projects now. Read More
×MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2 - CVE-2023-52969. MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through . MGASA-2025-0186 - Updated mariadb packages fix security vulnerabilities Publication date: 11 Jun 2025 URL: https://advisories.mageia.org/MGASA-2025-0186.html Type: security Affected Mageia releases: 9 CVE: CVE-2023-52969, CVE-2023-52970, CVE-2023-52971, CVE-2025-30693, CVE-2025-30722 MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2 - CVE-2023-52969. MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where - CVE-2023-52970. MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan - CVE-2023-52971. Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H) - CVE-2025-30693. Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) - CVE-2025-30722 References: - https://bugs.mageia.org/show_bug.cgi?id=34342 - https://mariadb.com/docs/release-notes/community-server/11.4/11.4.7 - https://mariadb.com/docs/release-notes/community-server/11.4/11.4.6 - https://ubuntu.com/security/notices/USN-7548-1 - https://www.cve.org/CVERecord?id=CVE-2023-52969 - https://www.cve.org/CVERecord?id=CVE-2023-52970 - https://www.cve.org/CVERecord?id=CVE-2023-52971 - https://www.cve.org/CVERecord?id=CVE-2025-30693 - https://www.cve.org/CVERecord?id=CVE-2025-30722 SRPMS: - 9/core/mariadb-11.4.7-1.mga9 . The recent MariaDB enhancements within Mageia tackle a range of security flaws, bolstering system robustness and protecting data accuracy for its community.. MariaDB Security, Mageia Update, DOS Prevention, Crash Protection. . LinuxSecurity.com Team
Updated to 1.9.10, this fixes CVE-2025-30193: Denial of service via crafted TCP exchange. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-d2d34aad4c 2025-05-30 01:14:13.237061+00:00 -------------------------------------------------------------------------------- Name : dnsdist Product : Fedora 42 Version : 1.9.10 Release : 1.fc42 URL : https://www.dnsdist.org/index.html Summary : Highly DNS-, DoS- and abuse-aware loadbalancer Description : dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic. -------------------------------------------------------------------------------- Update Information: Updated to 1.9.10, this fixes CVE-2025-30193: Denial of service via crafted TCP exchange -------------------------------------------------------------------------------- ChangeLog: * Wed May 21 2025 Sander Hoentjen - 1.9.10-1 - Update to 1.9.10 - fixes #2367441 - fixes #2367560, #2367561, #2367562, #2367460 (CVE-2025-30193) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2367441 - dnsdist-1.9.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=2367441 [ 2 ] Bug #2367560 - CVE-2025-30193 dnsdist: Denial of service via crafted TCP exchange [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2367560 [ 3 ] Bug #2367561 - CVE-2025-30193 dnsdist: Denial of service via crafted TCP exchange [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2367561 [ 4 ] Bug #2367562 - CVE-2025-30193 dnsdist: Denial of service via crafted TCP exchange [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2367562 -------------------------------------------------------------------------------- This update can be installed with the "dnf"update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-d2d34aad4c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
* bsc#1234663 * bsc#1234664 Cross-References: * CVE-2024-50379 . # Security update for tomcat Announcement ID: SUSE-SU-2025:0394-1 Release Date: 2025-02-10T07:34:45Z Rating: important References: * bsc#1234663 * bsc#1234664 Cross-References: * CVE-2024-50379 * CVE-2024-54677 CVSS scores: * CVE-2024-50379 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2024-50379 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50379 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-54677 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2024-54677 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-54677 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server 12 SP5 LTSS * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves two vulnerabilities can now be installed. ## Description: This update for tomcat fixes the following issues: * CVE-2024-50379: Fixed remote code execution (RCE) due to TOCTOU issue in JSP compilation (bsc#1234663). * CVE-2024-54677: Fixed denial-of-service (DoS) attack in examples web application (bsc#1234664). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 12 SP5 LTSS zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-394=1 * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-394=1 ## Package List: * SUSE Linux Enterprise Server 12 SP5 LTSS (noarch) *tomcat-javadoc-9.0.36-3.136.1 * tomcat-servlet-4_0-api-9.0.36-3.136.1 * tomcat-jsp-2_3-api-9.0.36-3.136.1 * tomcat-el-3_0-api-9.0.36-3.136.1 * tomcat-docs-webapp-9.0.36-3.136.1 * tomcat-admin-webapps-9.0.36-3.136.1 * tomcat-lib-9.0.36-3.136.1 * tomcat-webapps-9.0.36-3.136.1 * tomcat-9.0.36-3.136.1 * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch) * tomcat-javadoc-9.0.36-3.136.1 * tomcat-servlet-4_0-api-9.0.36-3.136.1 * tomcat-jsp-2_3-api-9.0.36-3.136.1 * tomcat-el-3_0-api-9.0.36-3.136.1 * tomcat-docs-webapp-9.0.36-3.136.1 * tomcat-admin-webapps-9.0.36-3.136.1 * tomcat-lib-9.0.36-3.136.1 * tomcat-webapps-9.0.36-3.136.1 * tomcat-9.0.36-3.136.1 ## References: * https://www.suse.com/security/cve/CVE-2024-50379.html * https://www.suse.com/security/cve/CVE-2024-54677.html * https://bugzilla.suse.com/show_bug.cgi?id=1234663 * https://bugzilla.suse.com/show_bug.cgi?id=1234664 . SUSE announces critical updates for Tomcat, tackling vulnerabilities related to remote code execution and denial-of-service concerns, including comprehensive fix insights.. tomcat security, software update, remote execution, DoS attack, SUSE advisory. . Severity: Important. LinuxSecurity.com Team
It was discovered that there was a potential Denial of Service (DoS) vulnerability, in Django, a popular Python-based web development framework. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4006-1
A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5697-1
Important: nodejs:18 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2024:1510", "synopsis": "Important: nodejs:18 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs-nodemon, module.nodejs, nodejs, module.nodejs-nodemon, module.nodejs-packaging, nodejs-packaging.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nSecurity Fix(es):\n\n* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)\n\n* nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)\n\n* nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2264569", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264569", "description": ""}, {"ticket": "2264574", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264574", "description": ""}, {"ticket": "2264582", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264582", "description": ""}], "cves": [{"name": "CVE-2023-46809", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-46809", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-21892", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-21892", "cvss3ScoringVector": "UNKNOWN","cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-22019", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-22019", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}], "references": [], "publishedAt": "2024-03-27T04:34:32.999941Z", "rpms": {"Rocky Linux 8": {"nvras": ["nodejs-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "nodejs-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.src.rpm", "nodejs-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.x86_64.rpm", "nodejs-debuginfo-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "nodejs-debuginfo-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.x86_64.rpm", "nodejs-debugsource-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "nodejs-debugsource-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.x86_64.rpm", "nodejs-devel-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "nodejs-devel-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.x86_64.rpm", "nodejs-docs-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.noarch.rpm", "nodejs-full-i18n-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "nodejs-full-i18n-1:18.19.1-1.module+el8.9.0+1768+6b454dc0.x86_64.rpm", "nodejs-nodemon-0:3.0.1-1.module+el8.8.0+1459+02651ab6.noarch.rpm", "nodejs-nodemon-0:3.0.1-1.module+el8.8.0+1459+02651ab6.src.rpm", "nodejs-packaging-0:2021.06-4.module+el8.7.0+1072+5b168780.noarch.rpm", "nodejs-packaging-0:2021.06-4.module+el8.7.0+1072+5b168780.src.rpm", "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+1072+5b168780.noarch.rpm", "npm-1:10.2.4-1.18.19.1.1.module+el8.9.0+1768+6b454dc0.aarch64.rpm", "npm-1:10.2.4-1.18.19.1.1.module+el8.9.0+1768+6b454dc0.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. The latest Node.js 18 upgrade for Rocky Linux tackles significant security vulnerabilities that could impact system performance and integrity.. Nodejs Security Update, Rocky Linux Advisory, DoS Risks, Code Injection Mitigation. . Severity: Important. LinuxSecurity.com Team
* bsc#1219993 * bsc#1219997 * bsc#1220014 * bsc#1220053 . # Security update for nodejs14 Announcement ID: SUSE-SU-2024:0732-1 Rating: important References: * bsc#1219993 * bsc#1219997 * bsc#1220014 * bsc#1220053 Cross-References: * CVE-2023-46809 * CVE-2024-22019 * CVE-2024-22025 * CVE-2024-24806 CVSS scores: * CVE-2023-46809 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2024-22019 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-24806 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2024-24806 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 An update that solves four vulnerabilities can now be installed. ## Description: This update for nodejs14 fixes the following issues: Security issues fixed: * CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (bsc#1219997). * CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (bsc#1219993). * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (bsc#1220014). * CVE-2024-24806: fix improper domain lookup that potentially leads to SSRF attacks (bsc#1219724). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methodslike YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-732=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-732=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-732=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-732=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-732=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-732=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-732=1 ## Package List: * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 *nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * nodejs14-debuginfo-14.21.3-150200.15.55.1 * nodejs14-devel-14.21.3-150200.15.55.1 * nodejs14-14.21.3-150200.15.55.1 * nodejs14-debugsource-14.21.3-150200.15.55.1 * npm14-14.21.3-150200.15.55.1 * SUSE Enterprise Storage 7.1 (noarch) * nodejs14-docs-14.21.3-150200.15.55.1 ## References: * https://www.suse.com/security/cve/CVE-2023-46809.html * https://www.suse.com/security/cve/CVE-2024-22019.html * https://www.suse.com/security/cve/CVE-2024-22025.html * https://www.suse.com/security/cve/CVE-2024-24806.html *https://bugzilla.suse.com/show_bug.cgi?id=1219993 * https://bugzilla.suse.com/show_bug.cgi?id=1219997 * https://bugzilla.suse.com/show_bug.cgi?id=1220014 * https://bugzilla.suse.com/show_bug.cgi?id=1220053 . Tackling key challenges in nodejs14 on SUSE; features essential updates and remediation techniques for users.. Nodejs14 Update, SUSE Security Advisory, DoS Attack Fix, SSRF Vulnerability. . Severity: Important. LinuxSecurity.com Team
Several security issues were fixed in Go.. ========================================================================== Ubuntu Security Notice USN-6574-1 January 11, 2024 Go vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Go. Software Description: - golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Details: Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319) It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time. (CVE-2023-39323) It was discovered that Go did not limit the number of simultaneously executing handler goroutines in the net/http module. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2023-39325, CVE-2023-44487) It was discovered that the Go net/http module did not properly validate the chunk extensions reading from a request or response body. An attacker could possibly use this issue to read sensitive information. (CVE-2023-39326) It was discovered that Go did not properly validate the insecure "git://" protocol when using go get to fetch a module with the ".git" suffix. An attacker could possibly use this issue to bypass secure protocol checks. (CVE-2023-45285) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: golang-1.20 1.20.8-1ubuntu0.23.10.1 golang-1.20-go 1.20.8-1ubuntu0.23.10.1 golang-1.20-src 1.20.8-1ubuntu0.23.10.1 golang-1.21 1.21.1-1ubuntu0.23.10.1 golang-1.21-go 1.21.1-1ubuntu0.23.10.1 golang-1.21-src 1.21.1-1ubuntu0.23.10.1 Ubuntu 23.04: golang-1.20 1.20.3-1ubuntu0.2 golang-1.20-go 1.20.3-1ubuntu0.2 golang-1.20-src 1.20.3-1ubuntu0.2 golang-1.21 1.21.1-1~ubuntu23.04.2 golang-1.21-go 1.21.1-1~ubuntu23.04.2 golang-1.21-src 1.21.1-1~ubuntu23.04.2 Ubuntu 22.04 LTS: golang-1.20 1.20.3-1ubuntu0.1~22.04.1 golang-1.20-go 1.20.3-1ubuntu0.1~22.04.1 golang-1.20-src 1.20.3-1ubuntu0.1~22.04.1 golang-1.21 1.21.1-1~ubuntu22.04.2 golang-1.21-go 1.21.1-1~ubuntu22.04.2 golang-1.21-src 1.21.1-1~ubuntu22.04.2 Ubuntu 20.04 LTS: golang-1.20 1.20.3-1ubuntu0.1~20.04.1 golang-1.20-go 1.20.3-1ubuntu0.1~20.04.1 golang-1.20-src 1.20.3-1ubuntu0.1~20.04.1 golang-1.21 1.21.1-1~ubuntu20.04.2 golang-1.21-go 1.21.1-1~ubuntu20.04.2 golang-1.21-src 1.21.1-1~ubuntu20.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6574-1 CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39325, CVE-2023-39326, CVE-2023-44487, CVE-2023-45285 Package Information: https://launchpad.net/ubuntu/+source/golang-1.20/1.20.8-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu23.04.2 https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~22.04.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu22.04.2 https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~20.04.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu20.04.2 . Multiple Ubuntu variants have released critical updates addressing Go-related security flaws. Ensure you update now for enhanced protection.. Ubuntu Security Notice, Go Programming, Code Injection, DoS Attack, Software Updates. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.