Those issues were announced here: https://www.openwall.com/lists/oss-security/2025/08/06/1
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 1.24.6Source RPM: (none) => golang-1.24.5-1.mga10.src.rpm, golang-1.24.5-1.mga9.src.rpmCVE: (none) => CVE-2025-47906, CVE-2025-47907
Assignee: bugsquad => j.alberto.vc
RPMS: golang-1.24.6-1.mga9 golang-bin-1.24.6-1.mga9 golang-docs-1.24.6-1.mga9 golang-misc-1.24.6-1.mga9 golang-shared-1.24.6-1.mga9 golang-src-1.24.6-1.mga9 golang-tests-1.24.6-1.mga9 SRPM: golang-1.24.6-1.mga9
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: golang-1.24.5-1.mga10.src.rpm, golang-1.24.5-1.mga9.src.rpm => golang-1.24.5-1.mga9Assignee: j.alberto.vc => qa-bugs
Keywords: (none) => advisory
Used to build docker without issues
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK,MG9.32-ok
Whiteboard: MGA9-64-OK,MG9.32-ok => MGA9-64-OK,MG9.32-OK
Whiteboard: MGA9-64-OK,MG9.32-OK => MGA9-64-OK,MG9-32-OK
Whiteboard: MGA9-64-OK,MG9-32-OK => MGA9-64-OK,MGA9-32-OK
Depends on: (none) => 34580
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Every Go program that uses this function must be recompiled to pick up this fix once this package has been pushed.
CC: (none) => dan
(In reply to Dan Fandrich from comment #4) > Every Go program that uses this function must be recompiled to pick up this > fix once this package has been pushed. If you can find the packages that cuold need rebuild and provide a list If not then delay the update is worst we already have other golang components that need atention in their own security reports & lot of them need to be checked for cauldron That will be a better use of packagers energy You know if you want this be delayed but with the actual manpower & the focus in get mageia 10 ready is more possible other version fixing additional cves come out
This update doesn't need to be delayed, but it's not complete until those other packages are recompiled. And technically, all those other packages should be included in the .adv since they're all affected by CVE-2025-47906 and CVE-2025-47907. We've been ignoring this problem in Mageia which means our users are currently vulnerable to a host of issues despite security updates being pushed. For reference, the covering bug is #33973.
At the very least, the advisory should point out that only the compiler and standard library are updated for these CVEs and previously-compiled programs are still vulnerable.
(In reply to Dan Fandrich from comment #7) > At the very least, the advisory should point out that only the compiler and > standard library are updated for these CVEs and previously-compiled programs > are still vulnerable. Added this text This packages fix the issues for the compiler, applications using the functions should need rebuild.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0221.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED