Bug 33197 - golang new security issue CVE-2024-24788
Summary: golang new security issue CVE-2024-24788
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-13 14:00 CEST by Nicolas Salguero
Modified: 2024-05-17 20:44 CEST (History)
6 users (show)

See Also:
Source RPM: golang-1.21.9-1.mga9.src.rpm
CVE: CVE-2024-24788
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-13 14:00:11 CEST 
Those issues were announced here:
https://www.openwall.com/lists/oss-security/2024/05/08/3

They are fixed in version 1.21.10.
Nicolas Salguero 2024-05-13 14:01:04 CEST

Status comment: (none) => Fixed upstream in 1.21.10
CVE: (none) => CVE-2024-24787, CVE-2024-24788
Source RPM: (none) => golang-1.21.9-1.mga9.src.rpm

Comment 1 Morgan Leijström 2024-05-13 14:22:19 CEST 
CC registered maintainer though seem not much active here, so 
also CC Bruno C who have done most updates recently plus assign all.

Assignee: bugsquad => pkg-bugs
CC: (none) => bruno.cornec, fri, joequant

Comment 2 Nicolas Salguero 2024-05-14 16:21:52 CEST 
CVE-2024-24787 only affects macOS.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. (CVE-2024-24788)

References:
https://www.openwall.com/lists/oss-security/2024/05/08/3
========================

Updated packages in core/updates_testing:
========================
golang-1.21.10-1.mga9
golang-bin-1.21.10-1.mga9
golang-docs-1.21.10-1.mga9
golang-misc-1.21.10-1.mga9
golang-shared-1.21.10-1.mga9
golang-src-1.21.10-1.mga9
golang-tests-1.21.10-1.mga9

from SRPM:
golang-1.21.10-1.mga9.src.rpm

Summary: golang new security issues CVE-2024-2478[78] => golang new security issue CVE-2024-24788
Status comment: Fixed upstream in 1.21.10 => (none)
Assignee: pkg-bugs => qa-bugs
CVE: CVE-2024-24787, CVE-2024-24788 => CVE-2024-24788
Status: NEW => ASSIGNED

katnatek 2024-05-15 04:04:33 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-05-16 14:12:38 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.Checked previous updates , but testing wih docker is out of my league. At least no ill effects.

CC: (none) => herman.viaene

Comment 4 katnatek 2024-05-16 19:25:08 CEST 
Get docker with mgarepo and add the packages to qarepo

Get the buildrequires and can confirm some of the packages in qarepo are fetched as part of the packages to build docker

Build docker without issues

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-05-17 15:35:48 CEST 
I remember building docker on Foolishness for a previous 32-bit-only bug. It was an... experience. Thing is, I don't remember any of the details of how to do it, so I'd have a difficult time repeating the feat. You're in good company, Herman.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-05-17 20:44:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0181.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.