Bug 33197

Summary: golang new security issue CVE-2024-24788
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno.cornec, fri, herman.viaene, joequant, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: golang-1.21.9-1.mga9.src.rpm CVE: CVE-2024-24788
Status comment:

Description Nicolas Salguero 2024-05-13 14:00:11 CEST 
Those issues were announced here:
https://www.openwall.com/lists/oss-security/2024/05/08/3

They are fixed in version 1.21.10.
Nicolas Salguero 2024-05-13 14:01:04 CEST

Status comment: (none) => Fixed upstream in 1.21.10
CVE: (none) => CVE-2024-24787, CVE-2024-24788
Source RPM: (none) => golang-1.21.9-1.mga9.src.rpm

Comment 1 Morgan Leijström 2024-05-13 14:22:19 CEST 
CC registered maintainer though seem not much active here, so 
also CC Bruno C who have done most updates recently plus assign all.

Assignee: bugsquad => pkg-bugs
CC: (none) => bruno.cornec, fri, joequant

Comment 2 Nicolas Salguero 2024-05-14 16:21:52 CEST 
CVE-2024-24787 only affects macOS.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. (CVE-2024-24788)

References:
https://www.openwall.com/lists/oss-security/2024/05/08/3
========================

Updated packages in core/updates_testing:
========================
golang-1.21.10-1.mga9
golang-bin-1.21.10-1.mga9
golang-docs-1.21.10-1.mga9
golang-misc-1.21.10-1.mga9
golang-shared-1.21.10-1.mga9
golang-src-1.21.10-1.mga9
golang-tests-1.21.10-1.mga9

from SRPM:
golang-1.21.10-1.mga9.src.rpm

Summary: golang new security issues CVE-2024-2478[78] => golang new security issue CVE-2024-24788
Status comment: Fixed upstream in 1.21.10 => (none)
Assignee: pkg-bugs => qa-bugs
CVE: CVE-2024-24787, CVE-2024-24788 => CVE-2024-24788
Status: NEW => ASSIGNED

katnatek 2024-05-15 04:04:33 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-05-16 14:12:38 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.Checked previous updates , but testing wih docker is out of my league. At least no ill effects.

CC: (none) => herman.viaene

Comment 4 katnatek 2024-05-16 19:25:08 CEST 
Get docker with mgarepo and add the packages to qarepo

Get the buildrequires and can confirm some of the packages in qarepo are fetched as part of the packages to build docker

Build docker without issues

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-05-17 15:35:48 CEST 
I remember building docker on Foolishness for a previous 32-bit-only bug. It was an... experience. Thing is, I don't remember any of the details of how to do it, so I'd have a difficult time repeating the feat. You're in good company, Herman.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-05-17 20:44:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0181.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED