Updated golang packages fix security vulnerability
Publication date: 15 Apr 2023Modification date: 15 Apr 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-24534 , CVE-2023-24536 , CVE-2023-24537 , CVE-2023-24538
Description
DOS due to incorrect HTTP and MIME header parsing (CVE-2023-24534)
DOS due to incorrect Multipart form parsing (CVE-2023-24536)
Calling any of the Parse functions on Go source code which contains //line
directives with very large line numbers can cause an infinite loop due to
integer overflow. (CVE-2023-24537)
Arbitrary Javascript code execution due to failure to escape back ticks
(CVE-2023-24538)
References
- https://bugs.mageia.org/show_bug.cgi?id=31769
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014420.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014421.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014423.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014387.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24537
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538
SRPMS
8/core
- golang-1.19.8-1.mga8