ISHACK AI BOT

Amazon Linux 2023: CVE-2023-29402: Important priority package update for golang Severity 6 CVSS (AV:L/AC:H/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). A flaw was found in golang. The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program that uses cgo. This can occur when running an untrusted module that contains directories with newline characters in their names. Modules that are retrieved using the go command, for example, via "go get", are not affected. Modules retrieved using GOPATH-mode, for example, GO111MODULE=off may be affected. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-29402 CVE - 2023-29402 https://alas.aws.amazon.com/AL2023/ALAS-2023-269.html

Amazon Linux 2023: CVE-2023-29405: Important priority package update for golang Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-29405 CVE - 2023-29405 https://alas.aws.amazon.com/AL2023/ALAS-2023-269.html

SUSE: CVE-2023-29404: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/19/2023 Added 06/19/2023 Modified 01/28/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) suse-upgrade-go1-19 suse-upgrade-go1-19-doc suse-upgrade-go1-19-race suse-upgrade-go1-20 suse-upgrade-go1-20-doc suse-upgrade-go1-20-race References https://attackerkb.com/topics/cve-2023-29404 CVE - 2023-29404

Amazon Linux AMI 2: CVE-2023-34969: Security patch for dbus (ALAS-2024-2428) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 01/24/2024 Added 01/23/2024 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) amazon-linux-ami-2-upgrade-dbus amazon-linux-ami-2-upgrade-dbus-debuginfo amazon-linux-ami-2-upgrade-dbus-devel amazon-linux-ami-2-upgrade-dbus-doc amazon-linux-ami-2-upgrade-dbus-libs amazon-linux-ami-2-upgrade-dbus-tests amazon-linux-ami-2-upgrade-dbus-x11 References https://attackerkb.com/topics/cve-2023-34969 AL2/ALAS-2024-2428 CVE - 2023-34969

VMware Photon OS: CVE-2023-29402 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-29402 CVE - 2023-29402

Rapid7 InsightVM Scan Assistant: CVE-2023-29402: Go: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/04/2024 Added 01/03/2024 Modified 01/28/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) rapid7-scan-assistant-upgrade-latest References https://attackerkb.com/topics/cve-2023-29402 CVE - 2023-29402

VMware Photon OS: CVE-2023-29405 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-29405 CVE - 2023-29405

VMware Photon OS: CVE-2023-29404 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-29404 CVE - 2023-29404

CentOS Linux: CVE-2023-34969: Moderate: dbus security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 08/09/2023 Added 08/08/2023 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) centos-upgrade-dbus centos-upgrade-dbus-common centos-upgrade-dbus-daemon centos-upgrade-dbus-daemon-debuginfo centos-upgrade-dbus-debuginfo centos-upgrade-dbus-debugsource centos-upgrade-dbus-devel centos-upgrade-dbus-libs centos-upgrade-dbus-libs-debuginfo centos-upgrade-dbus-tests-debuginfo centos-upgrade-dbus-tools centos-upgrade-dbus-tools-debuginfo centos-upgrade-dbus-x11 centos-upgrade-dbus-x11-debuginfo References CVE-2023-34969

CentOS Linux: CVE-2023-29402: Critical: go-toolset:rhel8 security update (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/28/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) centos-upgrade-delve centos-upgrade-delve-debuginfo centos-upgrade-delve-debugsource centos-upgrade-go-toolset centos-upgrade-golang centos-upgrade-golang-bin centos-upgrade-golang-docs centos-upgrade-golang-misc centos-upgrade-golang-race centos-upgrade-golang-src centos-upgrade-golang-tests References CVE-2023-29402

CentOS Linux: CVE-2023-29403: Critical: go-toolset:rhel8 security update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/28/2025 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) centos-upgrade-delve centos-upgrade-delve-debuginfo centos-upgrade-delve-debugsource centos-upgrade-go-toolset centos-upgrade-golang centos-upgrade-golang-bin centos-upgrade-golang-docs centos-upgrade-golang-misc centos-upgrade-golang-race centos-upgrade-golang-src centos-upgrade-golang-tests References CVE-2023-29403

Alpine Linux: CVE-2023-29403: Exposure of Resource to Wrong Sphere Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) alpine-linux-upgrade-go References https://attackerkb.com/topics/cve-2023-29403 CVE - 2023-29403 https://security.alpinelinux.org/vuln/CVE-2023-29403

Debian: CVE-2023-34969: dbus -- security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 10/26/2023 Added 10/25/2023 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) debian-upgrade-dbus References https://attackerkb.com/topics/cve-2023-34969 CVE - 2023-34969 DLA-3628-1

Ubuntu: USN-6372-1 (CVE-2023-34969): DBus vulnerability Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 09/18/2023 Added 09/18/2023 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) ubuntu-pro-upgrade-dbus ubuntu-pro-upgrade-libdbus-1-3 References https://attackerkb.com/topics/cve-2023-34969 CVE - 2023-34969 USN-6372-1

Red Hat: CVE-2023-29402: go command may generate unexpected code at build time when using cgo (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/30/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-race redhat-upgrade-golang-src redhat-upgrade-golang-tests References CVE-2023-29402 RHSA-2023:3922 RHSA-2023:3923

Red Hat: CVE-2023-34969: assertion failure when a monitor is active and a message from the driver cannot be delivered (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 08/09/2023 Added 08/08/2023 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) redhat-upgrade-dbus redhat-upgrade-dbus-common redhat-upgrade-dbus-daemon redhat-upgrade-dbus-daemon-debuginfo redhat-upgrade-dbus-debuginfo redhat-upgrade-dbus-debugsource redhat-upgrade-dbus-devel redhat-upgrade-dbus-libs redhat-upgrade-dbus-libs-debuginfo redhat-upgrade-dbus-tests-debuginfo redhat-upgrade-dbus-tools redhat-upgrade-dbus-tools-debuginfo redhat-upgrade-dbus-x11 redhat-upgrade-dbus-x11-debuginfo References CVE-2023-34969 RHSA-2023:4498 RHSA-2023:4569 RHSA-2023:5193

Red Hat: CVE-2023-29404: go command may execute arbitrary code at build time when using cgo (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/30/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-race redhat-upgrade-golang-src redhat-upgrade-golang-tests References CVE-2023-29404 RHSA-2023:3922 RHSA-2023:3923

Red Hat: CVE-2023-29403: unexpected behavior of setuid/setgid binaries (Multiple Advisories) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/28/2025 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-race redhat-upgrade-golang-src redhat-upgrade-golang-tests References CVE-2023-29403 RHSA-2023:3922 RHSA-2023:3923

Huawei EulerOS: CVE-2023-29404: golang security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) huawei-euleros-2_0_sp11-upgrade-golang huawei-euleros-2_0_sp11-upgrade-golang-devel huawei-euleros-2_0_sp11-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-29404 CVE - 2023-29404 EulerOS-SA-2023-2859

Huawei EulerOS: CVE-2023-34969: dbus security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. Solution(s) huawei-euleros-2_0_sp11-upgrade-dbus huawei-euleros-2_0_sp11-upgrade-dbus-common huawei-euleros-2_0_sp11-upgrade-dbus-daemon huawei-euleros-2_0_sp11-upgrade-dbus-libs huawei-euleros-2_0_sp11-upgrade-dbus-tools References https://attackerkb.com/topics/cve-2023-34969 CVE - 2023-34969 EulerOS-SA-2023-2857

Amazon Linux 2023: CVE-2023-29403: Important priority package update for golang (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state or assuming the status of standard I/O file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) amazon-linux-2023-upgrade-containerd amazon-linux-2023-upgrade-containerd-debuginfo amazon-linux-2023-upgrade-containerd-debugsource amazon-linux-2023-upgrade-containerd-stress amazon-linux-2023-upgrade-containerd-stress-debuginfo amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-29403 CVE - 2023-29403 https://alas.aws.amazon.com/AL2023/ALAS-2023-269.html https://alas.aws.amazon.com/AL2023/ALAS-2023-312.html

CentOS Linux: CVE-2023-29404: Critical: go-toolset:rhel8 security update (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 06/30/2023 Added 06/30/2023 Modified 01/28/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) centos-upgrade-delve centos-upgrade-delve-debuginfo centos-upgrade-delve-debugsource centos-upgrade-go-toolset centos-upgrade-golang centos-upgrade-golang-bin centos-upgrade-golang-docs centos-upgrade-golang-misc centos-upgrade-golang-race centos-upgrade-golang-src centos-upgrade-golang-tests References CVE-2023-29404

Amazon Linux AMI 2: CVE-2023-29403: Security patch for containerd, golang (Multiple Advisories) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) amazon-linux-ami-2-upgrade-containerd amazon-linux-ami-2-upgrade-containerd-debuginfo amazon-linux-ami-2-upgrade-containerd-stress amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-race amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-29403 AL2/ALAS-2023-2163 AL2/ALASDOCKER-2023-029 AL2/ALASGOLANG1.19-2023-001 AL2/ALASNITRO-ENCLAVES-2023-026 CVE - 2023-29403

Huawei EulerOS: CVE-2023-29404: golang security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-29404 CVE - 2023-29404 EulerOS-SA-2023-2810

Huawei EulerOS: CVE-2023-29402: golang security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-29402 CVE - 2023-29402 EulerOS-SA-2023-2810