MGASA-2023-0145 - Updated golang packages fix security vulnerability

Publication date: 15 Apr 2023
URL: https://advisories.mageia.org/MGASA-2023-0145.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2023-24534,
     CVE-2023-24536,
     CVE-2023-24537,
     CVE-2023-24538

DOS due to incorrect HTTP and MIME header parsing (CVE-2023-24534)
DOS due to incorrect Multipart form parsing (CVE-2023-24536)
Calling any of the Parse functions on Go source code which contains //line
directives with very large line numbers can cause an infinite loop due to
integer overflow. (CVE-2023-24537)
Arbitrary Javascript code execution due to failure to escape back ticks
(CVE-2023-24538)

References:
- https://bugs.mageia.org/show_bug.cgi?id=31769
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014420.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014421.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014423.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-April/014387.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24537
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538

SRPMS:
- 8/core/golang-1.19.8-1.mga8