Updated libuv packages fix security vulnerability
Publication date: 22 Mar 2024Modification date: 21 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-24806
Description
It was discovered that the uv_getaddrinfo() function in libuv, an
asynchronous event notification library, incorrectly truncated certain
hostnames, which may result in bypass of security measures on internal
APIs or SSRF attacks. (CVE-2024-24806)
References
- https://bugs.mageia.org/show_bug.cgi?id=32822
- https://www.openwall.com/lists/oss-security/2024/02/08/2
- https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
- https://lists.debian.org/debian-security-announce/2024/msg00044.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24806
SRPMS
9/core
- libuv-1.44.2-2.1.mga9