Advisories ยป MGASA-2019-0066

Updated golang packages fix security vulnerability

Publication date: 13 Feb 2019
Modification date: 13 Feb 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-16873 , CVE-2018-16874 , CVE-2018-16875 , CVE-2019-6486

Description

Remote code execution in go get, when executed with the -u flag
(CVE-2018-16873).

An arbitrary filesystem write in go get, which could lead to code execution
(CVE-2018-16874).

Denial of Service in the crypto/x509 package during certificate chain
validation (CVE-2018-16875).

Go before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows
attackers to cause a denial of service (CPU consumption) or possibly conduct
ECDH private key recovery attacks (CVE-2019-6486).
                

References

SRPMS

6/core