Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/06/04/1 For Cauldron, 1.22.4 is already built.
CVE: (none) => CVE-2024-24789, CVE-2024-24790Status comment: (none) => Fixed upstream in 1.21.11Source RPM: (none) => golang-1.21.10-1.mga9.src.rpm
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. (CVE-2024-24789) The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. (CVE-2024-24790) References: https://www.openwall.com/lists/oss-security/2024/06/04/1 ======================== Updated packages in core/updates_testing: ======================== golang-1.21.11-1.mga9 golang-bin-1.21.11-1.mga9 golang-docs-1.21.11-1.mga9 golang-misc-1.21.11-1.mga9 golang-shared-1.21.11-1.mga9 golang-src-1.21.11-1.mga9 golang-tests-1.21.11-1.mga9 from SRPM: golang-1.21.11-1.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 1.21.11 => (none)Assignee: bugsquad => qa-bugs
Keywords: (none) => advisory
mga9, x64 The files updated cleanly. Checked golang by a local build of docker, e.g. bug 30469. That ran smoothly and the docker rpms were built. Good to go. There is a POC I think but not sure how to apply it.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Thank you Len
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0217.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED