A security update has been released for the golang-glog package in Debian GNU/Linux 10 (Buster) Extended LTS, addressing a vulnerability that could allow an unprivileged attacker to predict the log file path of a privileged process. This vulnerability, identified by CVE-2024-45339, could lead to an attacker creating a symbolic link to a sensitive file, potentially compromising system security.
The updated package, version 0.0~git20160126.23def4e-3+deb10u1, implements a safeguard whereby if the configured log file already exists, the program will terminate with a status code of 2, thus preventing the overwriting of sensitive files.
In addition to the golang-glog update, several other Go packages have been rebuilt to mitigate this issue. These include:
- golang-grpc-gateway version 1.6.4-2+deb10u1
- mtail version 3.0.0~rc19-2+deb10u1
- prometheus-mongodb-exporter version 1.0.0+git20180522.e755a44-1+deb10u1
This update is crucial for maintaining the security integrity of Debian 10 systems, particularly those running services that utilize logging mechanisms susceptible to such vulnerabilities. System administrators are advised to apply these updates promptly to safeguard against potential exploits.
Furthermore, users should consider reviewing their logging configurations to ensure that log files are directed to secure, non-writable directories to further reduce the risk of similar vulnerabilities in the future. Additionally, regular audits and updates of all packages are recommended as part of a proactive security posture
The updated package, version 0.0~git20160126.23def4e-3+deb10u1, implements a safeguard whereby if the configured log file already exists, the program will terminate with a status code of 2, thus preventing the overwriting of sensitive files.
In addition to the golang-glog update, several other Go packages have been rebuilt to mitigate this issue. These include:
- golang-grpc-gateway version 1.6.4-2+deb10u1
- mtail version 3.0.0~rc19-2+deb10u1
- prometheus-mongodb-exporter version 1.0.0+git20180522.e755a44-1+deb10u1
This update is crucial for maintaining the security integrity of Debian 10 systems, particularly those running services that utilize logging mechanisms susceptible to such vulnerabilities. System administrators are advised to apply these updates promptly to safeguard against potential exploits.
Furthermore, users should consider reviewing their logging configurations to ensure that log files are directed to secure, non-writable directories to further reduce the risk of similar vulnerabilities in the future. Additionally, regular audits and updates of all packages are recommended as part of a proactive security posture
Golang-Glog security update for Debian 10 ELTS
Updated golang-glog packages are now available for Debian GNU/Linux 10 (Buster) Extended LTS to resolve a vulnerability that allows an unprivileged attacker to predict the log file path of a privileged process and potentially create a symbolic link to a sensitive file in its place.
ELA-1417-1 golang-glog security updateGolang-Glog security update for Debian 10 ELTS @ Linux Compatible
