{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"golang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for golang is now available for openEuler-22.03-LTS-SP3.", "category":"general", "title":"Summary" }, { "text":"The Go Programming Language.\n\nSecurity Fix(es):\n\nThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789)", "category":"general", "title":"Description" }, { "text":"An update for golang is now available for openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"golang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-1769", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1769" }, { "summary":"CVE-2024-24789", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2024-24789&packageName=golang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24789" }, { "summary":"openEuler-SA-2024-1769 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1769.json" } ], "title":"An update for golang is now available for openEuler-22.03-LTS-SP3", "tracking":{ "initial_release_date":"2024-06-28T09:20:52+08:00", "revision_history":[ { "date":"2024-06-28T09:20:52+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:20:52+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:20:52+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:20:52+08:00", "id":"openEuler-SA-2024-1769", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-34.oe2203sp3.aarch64.rpm", "name":"golang-1.17.3-34.oe2203sp3.aarch64.rpm" }, "name":"golang-1.17.3-34.oe2203sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-help-1.17.3-34.oe2203sp3.noarch.rpm", "name":"golang-help-1.17.3-34.oe2203sp3.noarch.rpm" }, "name":"golang-help-1.17.3-34.oe2203sp3.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-devel-1.17.3-34.oe2203sp3.noarch.rpm", "name":"golang-devel-1.17.3-34.oe2203sp3.noarch.rpm" }, "name":"golang-devel-1.17.3-34.oe2203sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-34.oe2203sp3.src.rpm", "name":"golang-1.17.3-34.oe2203sp3.src.rpm" }, "name":"golang-1.17.3-34.oe2203sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-34.oe2203sp3.x86_64.rpm", "name":"golang-1.17.3-34.oe2203sp3.x86_64.rpm" }, "name":"golang-1.17.3-34.oe2203sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-34.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.aarch64", "name":"golang-1.17.3-34.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-help-1.17.3-34.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-help-1.17.3-34.oe2203sp3.noarch", "name":"golang-help-1.17.3-34.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-devel-1.17.3-34.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-devel-1.17.3-34.oe2203sp3.noarch", "name":"golang-devel-1.17.3-34.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-34.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.src", "name":"golang-1.17.3-34.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-34.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.x86_64", "name":"golang-1.17.3-34.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-24789", "notes":[ { "text":"The archive/zip package s handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1769" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-34.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-34.oe2203sp3.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-24789" } ] }