Fedora has issued an advisory on July 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q7H2ERJVZKVOCEC3V4NLCNG24ALF4NI/ Cauldron already has version 1.22.5 so only Mageia 9 needs an update (to version 1.21.12).
Source RPM: (none) => golang-1.21.11-1.mga9.src.rpmCVE: (none) => CVE-2024-24791Status comment: (none) => Fixed upstream in 1.21.12
Suggested advisory: ======================== The updated packages fix a security vulnerability: he net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. (CVE-2024-24791) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q7H2ERJVZKVOCEC3V4NLCNG24ALF4NI/ ======================== Updated packages in core/updates_testing: ======================== golang-1.21.12-1.mga9 golang-bin-1.21.12-1.mga9 golang-docs-1.21.12-1.mga9 golang-misc-1.21.12-1.mga9 golang-shared-1.21.12-1.mga9 golang-src-1.21.12-1.mga9 golang-tests-1.21.12-1.mga9 from SRPM: golang-1.21.12-1.mga9.src.rpm
Status comment: Fixed upstream in 1.21.12 => (none)Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Keywords: (none) => advisory
Mageia9, x86_64 Going ahead with the update because the exploit looks too complex to test. Clean update anyway. $ rpm -q golang golang-1.21.12-1.mga9 $ rpm -qa | grep golang | wc -l 356 No apologies for running the usual docker build sequence to test the compiler. $ mgarepo co docker Checked out revision 2080535. $ cd docker $ ls BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/ $ bm -s creating package list processing package %{origname}-%{moby_version}-%mkrel 5 building source package succeeded! $ sudo urpmi --buildrequires SPECS/docker.spec warning: Macro expanded in comment on line 43: %{shortcommit_moby} [...] s: Obsoletes: docker-swarm s: Obsoletes: docker-vim $ bm -l [...] succeeded! $ cd RPMS/x86_64 $ ls docker-24.0.5-5.mga9.x86_64.rpm docker-devel-24.0.5-5.mga9.x86_64.rpm docker-fish-completion-24.0.5-5.mga9.x86_64.rpm docker-logrotate-24.0.5-5.mga9.x86_64.rpm docker-nano-24.0.5-5.mga9.x86_64.rpm docker-zsh-completion-24.0.5-5.mga9.x86_64.rpm $ rpm -q docker docker-24.0.5-4.mga9 Update coming maybe. Looks like golang is working as intended.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Addendum to comment 2; Searched for the CVE on the Mitre site. https://github.com/golang/go/issues/67555 does not outline a PoC.
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0261.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED