Mageia alert MGASA-2025-0205 (golang)

From:
               Mageia Updates <updates-announce@ml.mageia.org>
To:
               updates-announce@ml.mageia.org
Subject:
               [updates-announce] MGASA-2025-0205: Updated golang packages fix security vulnerabilities
Date:
               Fri, 11 Jul 2025 20:53:06 +0200
Message-ID:
               <20250711185306.89773A0D30@duvel.mageia.org>
Archive-link:
               Article
MGASA-2025-0205 - Updated golang packages fix security vulnerabilities

Publication date: 11 Jul 2025
URL: https://advisories.mageia.org/MGASA-2025-0205.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2025-4674

Description:
Various uses of the Go toolchain in untrusted VCS repositories can
result in unexpected code execution. When using the Go toolchain
in directories fetched using various VCS tools (such as directly
cloning Git or Mercurial repositories) can cause the toolchain to
execute unexpected commands, if said directory contains multiple
VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve
which VCS is being used in order to embed build information in binaries
and determine module versions.

References:
- https://bugs.mageia.org/show_bug.cgi?id=34456
- https://www.openwall.com/lists/oss-security/2025/07/08/5
- https://github.com/golang/go/issues/74382
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4674

SRPMS:
- 9/core/golang-1.24.5-1.mga9

From:		Mageia Updates <updates-announce@ml.mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2025-0205: Updated golang packages fix security vulnerabilities
Date:		Fri, 11 Jul 2025 20:53:06 +0200
Message-ID:		<20250711185306.89773A0D30@duvel.mageia.org>
Archive-link:		Article