Mageia alert MGASA-2023-0145 (golang)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2023-0145: Updated golang packages fix security vulnerability | |
| Date: | Sat, 15 Apr 2023 21:05:01 +0200 | |
| Message-ID: | <20230415190501.719E29FF29@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2023-0145 - Updated golang packages fix security vulnerability Publication date: 15 Apr 2023 URL: https://advisories.mageia.org/MGASA-2023-0145.html Type: security Affected Mageia releases: 8 CVE: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538 Description: DOS due to incorrect HTTP and MIME header parsing (CVE-2023-24534) DOS due to incorrect Multipart form parsing (CVE-2023-24536) Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. (CVE-2023-24537) Arbitrary Javascript code execution due to failure to escape back ticks (CVE-2023-24538) References: - https://bugs.mageia.org/show_bug.cgi?id=31769 - https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.suse.com/pipermail/sle-security-updates/202... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2... SRPMS: - 8/core/golang-1.19.8-1.mga8