-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4056-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura February 17, 2025 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : golang-glog Version : 0.0~git20160126.23def4e-3+deb11u1 CVE ID : CVE-2024-45339 The following vulnerability has been discovered in the glog package for Go: When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. For Debian 11 bullseye, this problem has been fixed in version 0.0~git20160126.23def4e-3+deb11u1. The following Go packages have been rebuilt in order to fix this issue: docker.io 20.10.5+dfsg1-1+deb11u4 golang-grpc-gateway 1.6.4-2+deb11u1 mtail 3.0.0~rc43-3+deb11u1 prometheus-mongodb-exporter 1.0.0+git20180522.e755a44-3+deb11u1 We recommend that you upgrade these packages. For the detailed security status of golang-glog please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-glog Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ7L7EgAKCRDoRGtKyMdy YSq4AP9SwzvxywwwjkBsecPVwlGaJ3EpH+seZId1cnuyN/eTwgEA2CXOMDbzXoTf KrQJsdN4Vnxl64Bh9O6fK6nr5pG8+AM= =wCxr -----END PGP SIGNATURE-----
