| Summary: | golang new security issue CVE-2024-24791 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | golang-1.21.11-1.mga9.src.rpm | CVE: | CVE-2024-24791 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-07-09 15:34:41 CEST
Nicolas Salguero
2024-07-09 15:35:04 CEST
Source RPM:
(none) =>
golang-1.21.11-1.mga9.src.rpm Suggested advisory: ======================== The updated packages fix a security vulnerability: he net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. (CVE-2024-24791) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q7H2ERJVZKVOCEC3V4NLCNG24ALF4NI/ ======================== Updated packages in core/updates_testing: ======================== golang-1.21.12-1.mga9 golang-bin-1.21.12-1.mga9 golang-docs-1.21.12-1.mga9 golang-misc-1.21.12-1.mga9 golang-shared-1.21.12-1.mga9 golang-src-1.21.12-1.mga9 golang-tests-1.21.12-1.mga9 from SRPM: golang-1.21.12-1.mga9.src.rpm Status comment:
Fixed upstream in 1.21.12 =>
(none)
katnatek
2024-07-09 23:56:49 CEST
Keywords:
(none) =>
advisory Mageia9, x86_64
Going ahead with the update because the exploit looks too complex to test.
Clean update anyway.
$ rpm -q golang
golang-1.21.12-1.mga9
$ rpm -qa | grep golang | wc -l
356
No apologies for running the usual docker build sequence to test the compiler.
$ mgarepo co docker
Checked out revision 2080535.
$ cd docker
$ ls
BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 5
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 43: %{shortcommit_moby}
[...]
s: Obsoletes: docker-swarm
s: Obsoletes: docker-vim
$ bm -l
[...]
succeeded!
$ cd RPMS/x86_64
$ ls
docker-24.0.5-5.mga9.x86_64.rpm
docker-devel-24.0.5-5.mga9.x86_64.rpm
docker-fish-completion-24.0.5-5.mga9.x86_64.rpm
docker-logrotate-24.0.5-5.mga9.x86_64.rpm
docker-nano-24.0.5-5.mga9.x86_64.rpm
docker-zsh-completion-24.0.5-5.mga9.x86_64.rpm
$ rpm -q docker
docker-24.0.5-4.mga9
Update coming maybe. Looks like golang is working as intended.CC:
(none) =>
tarazed25 Addendum to comment 2; Searched for the CVE on the Mitre site. https://github.com/golang/go/issues/67555 does not outline a PoC.
katnatek
2024-07-11 00:47:55 CEST
CC:
(none) =>
andrewsfarm Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0261.html Status:
ASSIGNED =>
RESOLVED |