Advisories » MGASA-2024-0079

Updated libuv packages fix security vulnerability

Publication date: 22 Mar 2024
Modification date: 21 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-24806

Description

It was discovered that the uv_getaddrinfo() function in libuv, an
asynchronous event notification library, incorrectly truncated certain
hostnames, which may result in bypass of security measures on internal
APIs or SSRF attacks. (CVE-2024-24806)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32822
• https://www.openwall.com/lists/oss-security/2024/02/08/2
• https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
• https://lists.debian.org/debian-security-announce/2024/msg00044.html
• https://www.cve.org/CVERecord?id=CVE-2024-24806

SRPMS

9/core

• libuv-1.44.2-2.1.mga9