Updated golang packages fix security vulnerabilities
Publication date: 10 Jan 2021Type: security
Affected Mageia releases : 7
CVE: CVE-2020-28366 , CVE-2020-28367
Description
An input validation vulnerability was found in go. From a generated go file (from the cgo tool) it is possible to modify symbols within that object file and specify code instead. An attacker could potentially use this flaw by creating a repository which included malicious pre-built object files that could execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28366). An input validation vulnerability was found in go. If cgo is specified in a go file, it is possible to bypass the validation of arguments to the gcc compiler. An attacker could potentially use this flaw by creating a malicious repository which would execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28367).
References
SRPMS
7/core
- golang-1.13.15-3.mga7