Your message dated Tue, 11 Feb 2025 06:49:37 +0000
with message-id <[email protected]>
and subject line Bug#1094733: fixed in golang-glog 1.2.4-1
has caused the Debian Bug report #1094733,
regarding golang-glog: CVE-2024-45339
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1094733: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094733
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-glog
Version: 1.2.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-glog.
CVE-2024-45339[0]:
| When logs are written to a widely-writable directory (the default),
| an unprivileged attacker may predict a privileged process's log file
| path and pre-create a symbolic link to a sensitive file in its
| place. When that privileged process runs, it will follow the planted
| symlink and overwrite that sensitive file. To fix that, glog now
| causes the program to exit (with status code 2) when it finds that
| the configured log file already exists.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45339
https://www.cve.org/CVERecord?id=CVE-2024-45339
[1]
https://github.com/golang/glog/commit/a0e3c40a0ed0cecc58c84e7684d9ce55a54044ee
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-glog
Source-Version: 1.2.4-1
Done: Andrej Shadura <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-glog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated golang-glog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Feb 2025 07:27:37 +0100
Source: golang-glog
Architecture: source
Version: 1.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Closes: 1094733
Changes:
golang-glog (1.2.4-1) unstable; urgency=medium
.
* New upstream release (Closes: #1094733, CVE-2024-45339).
Checksums-Sha1:
8f9d04ef308c4a81d0d3b900551d30f0149b9846 1642 golang-glog_1.2.4-1.dsc
04ba46a8d92b05bd1250859a4c8b8f6203a86410 33048 golang-glog_1.2.4.orig.tar.xz
1cb764b81ba168719e3c576e10cbce66af7e00c3 2864 golang-glog_1.2.4-1.debian.tar.xz
Checksums-Sha256:
e5b5b8a29f311340501debb6e1bab7450e6deb99336b5b70a27bc81c9ae347e5 1642
golang-glog_1.2.4-1.dsc
4ff21feb040f48678b2f9d25786af78c492f457e1931de5c2f6ec5f056b89afb 33048
golang-glog_1.2.4.orig.tar.xz
c181262124b23a5c305bec3096636bd85a1787af0359d34ccc336626aa41ac76 2864
golang-glog_1.2.4-1.debian.tar.xz
Files:
60a2d2cbecc889ef0878a7d78f74cc58 1642 golang optional golang-glog_1.2.4-1.dsc
16e9b2cfbe95325c65532cc1f74fc1f5 33048 golang optional
golang-glog_1.2.4.orig.tar.xz
0010459df8fa9f828079e6dcf2ea3120 2864 golang optional
golang-glog_1.2.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ6rxCwAKCRDoRGtKyMdy
YcD6AQDuxhxSNiDtvOp25VN7D4wLjT7UszecnbthBnwQLPEpwAD+PXmzNnMAJzLj
JrA9sZFuPyOJFtb+l2oZKXFZ+tOwzAs=
=3o5g
-----END PGP SIGNATURE-----
pgpZw7CCpuIpQ.pgp
Description: PGP signature
--- End Message ---
