[SECURITY] [DLA 4056-1] golang-glog security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4056-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
February 17, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : golang-glog
Version : 0.0~git20160126.23def4e-3+deb11u1
CVE ID : CVE-2024-45339
The following vulnerability has been discovered in the glog package for Go:
When logs are written to a widely-writable directory (the default), an
unprivileged attacker may predict a privileged process's log file path
and pre-create a symbolic link to a sensitive file in its place. When
that privileged process runs, it will follow the planted symlink and
overwrite that sensitive file. To fix that, glog now causes the program
to exit (with status code 2) when it finds that the configured log file
already exists.
For Debian 11 bullseye, this problem has been fixed in version
0.0~git20160126.23def4e-3+deb11u1.
The following Go packages have been rebuilt in order to fix this
issue:
docker.io 20.10.5+dfsg1-1+deb11u4
golang-grpc-gateway 1.6.4-2+deb11u1
mtail 3.0.0~rc43-3+deb11u1
prometheus-mongodb-exporter 1.0.0+git20180522.e755a44-3+deb11u1
We recommend that you upgrade these packages.
For the detailed security status of golang-glog please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-glog
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ7L7EgAKCRDoRGtKyMdy
YSq4AP9SwzvxywwwjkBsecPVwlGaJ3EpH+seZId1cnuyN/eTwgEA2CXOMDbzXoTf
KrQJsdN4Vnxl64Bh9O6fK6nr5pG8+AM=
=wCxr
-----END PGP SIGNATURE-----
Reply to: