Mageia Advisory: MGASA-2025-0205 - Updated golang packages fix security vulnerabilities

Updated golang packages fix security vulnerabilities

Publication date: 11 Jul 2025
Modification date: 11 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4674

Description

Various uses of the Go toolchain in untrusted VCS repositories can
result in unexpected code execution. When using the Go toolchain
in directories fetched using various VCS tools (such as directly
cloning Git or Mercurial repositories) can cause the toolchain to
execute unexpected commands, if said directory contains multiple
VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve
which VCS is being used in order to embed build information in binaries
and determine module versions.

References

https://bugs.mageia.org/show_bug.cgi?id=34456
https://www.openwall.com/lists/oss-security/2025/07/08/5
https://github.com/golang/go/issues/74382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4674

SRPMS

9/core

golang-1.24.5-1.mga9

Advisories » MGASA-2025-0205

Updated golang packages fix security vulnerabilities

Description

References

SRPMS

9/core