{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-24789: fix zip parsing to reject EOCDR records with truncated comments\n- CVE-2024-9355: fix HMAC to pass initialized length to EVP_DigestSignFinal,\n ensuring correct output handling.", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1748626881.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "tracking": { "current_release_date": "2026-02-16T09:24:20Z", "generator": { "date": "2026-02-16T09:24:20Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1748626881", "initial_release_date": "2025-05-30T17:42:43Z", "revision_history": [ { "date": "2025-05-30T17:42:43Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:24:20Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "golang: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product": { "name": "golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_id": "golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-tests@1.19.13-1.el9_2.tuxcare.els8?arch=noarch" } } }, { "category": "product_version", "name": "golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product": { "name": "golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_id": "golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-docs@1.19.13-1.el9_2.tuxcare.els8?arch=noarch" } } }, { "category": "product_version", "name": "golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product": { "name": "golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_id": "golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-misc@1.19.13-1.el9_2.tuxcare.els8?arch=noarch" } } }, { "category": "product_version", "name": "golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product": { "name": "golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_id": "golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-src@1.19.13-1.el9_2.tuxcare.els8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product": { "name": "golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_id": "golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang@1.19.13-1.el9_2.tuxcare.els8?arch=x86_64" } } }, { "category": "product_version", "name": "golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product": { "name": "golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_id": "golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-race@1.19.13-1.el9_2.tuxcare.els8?arch=x86_64" } } }, { "category": "product_version", "name": "golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product": { "name": "golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_id": "golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-bin@1.19.13-1.el9_2.tuxcare.els8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" }, "product_reference": "golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch" }, "product_reference": "golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch" }, "product_reference": "golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64" }, "product_reference": "golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch" }, "product_reference": "golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64" }, "product_reference": "golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64" }, "product_reference": "golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-24784", "cwe": { "id": "CWE-115", "name": "Misinterpretation of Input" }, "notes": [ { "category": "description", "text": "The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-24784" } ], "release_date": "2024-03-05T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-39326", "notes": [ { "category": "description", "text": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39326" }, { "category": "external", "summary": "https://go.dev/cl/547335", "url": "https://go.dev/cl/547335" }, { "category": "external", "summary": "https://go.dev/issue/64433", "url": "https://go.dev/issue/64433" }, { "category": "external", "summary": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2382", "url": "https://pkg.go.dev/vuln/GO-2023-2382" } ], "release_date": "2023-12-06T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-24789", "notes": [ { "category": "description", "text": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-24789" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/06/04/1", "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1" }, { "category": "external", "summary": "https://go.dev/cl/585397", "url": "https://go.dev/cl/585397" }, { "category": "external", "summary": "https://go.dev/issue/66869", "url": "https://go.dev/issue/66869" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ", "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2024-2888", "url": "https://pkg.go.dev/vuln/GO-2024-2888" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20250131-0008/", "url": "https://security.netapp.com/advisory/ntap-20250131-0008/" } ], "release_date": "2024-06-05T16:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-34158", "cwe": { "id": "CWE-1325", "name": "Improperly Controlled Sequential Memory Allocation" }, "notes": [ { "category": "description", "text": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-34158" } ], "release_date": "2024-09-06T21:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-45290", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-45290" } ], "release_date": "2024-03-05T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-9355", "cwe": { "id": "CWE-457", "name": "Use of Uninitialized Variable" }, "notes": [ { "category": "description", "text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-9355" } ], "release_date": "2024-09-30T20:53:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-24791", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-24791" } ], "release_date": "2024-07-02T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-05-30T17:41:23Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881", "product_ids": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748626881" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:golang-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-bin-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-docs-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-misc-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-race-0:1.19.13-1.el9_2.tuxcare.els8.x86_64", "AlmaLinux-9.2:golang-src-0:1.19.13-1.el9_2.tuxcare.els8.noarch", "AlmaLinux-9.2:golang-tests-0:1.19.13-1.el9_2.tuxcare.els8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }