FERRAMENTAS LINUX: Critical Security Vulnerabilities in Mageia 9: Golang Updates & Fixes (CVE-2025-4673, CVE-2025-0913, CVE-2025-22874)

terça-feira, 10 de junho de 2025

Critical Security Vulnerabilities in Mageia 9: Golang Updates & Fixes (CVE-2025-4673, CVE-2025-0913, CVE-2025-22874)

Mageia 9 addresses critical Golang vulnerabilities including information leaks (CVE-2025-4673), symlink handling flaws (CVE-2025-0913), and policy validation bypasses (CVE-2025-22874). Learn how updated packages secure your Linux system and protect sensitive data.

Security Risks and Resolutions in Mageia 9’s Golang Packages

1. Proxy-Authorization Header Leak (CVE-2025-4673)

A moderate-risk vulnerability in Golang allowed Proxy-Authorization and Proxy-Authenticate headers to persist during cross-origin redirects, potentially exposing sensitive authentication data.

This flaw could be exploited in man-in-the-middle (MITM) attacks or credential harvesting campaigns.

Key Fix: Mageia’s updated golang-1.24.4-1.mga9 package ensures headers are stripped during redirects, mitigating data leaks.

2. Inconsistent Symlink Handling (CVE-2025-0913)

Golang’s os.OpenFile function exhibited OS-dependent behavior when handling symbolic links:

Unix Systems: Ignored dangling symlinks (secure by default).
Windows Systems: Created files at symlink destinations (security risk).

Impact: Attackers could manipulate symlinks to overwrite files or escalate privileges. The patch standardizes behavior—always returning an error when O_CREATE|O_EXCL flags encounter symlinks.

3. Policy Validation Bypass in x509 Certificates (CVE-2025-22874)

A rare but critical bug in crypto/x509 unintentionally disabled policy validation when ExtKeyUsageAny was used in certificate chains. This affected systems relying on complex policy graphs, potentially allowing improperly signed certificates.

Solution: VerifyOptions.KeyUsages now enforces validation consistently.