Updated golang-glog packages are now available for Debian GNU/Linux 10 (Buster) Extended LTS to resolve a vulnerability that allows an unprivileged attacker to predict the log file path of a privileged process and potentially create a symbolic link to a sensitive file in its place.

ELA-1417-1 golang-glog security update

ELA-1417-1 golang-glog security update

Package : golang-glog
Version : 0.0~git20160126.23def4e-3+deb10u1 (buster)

Related CVEs :
CVE-2024-45339

When logs are written to a widely-writable directory (the default), an
unprivileged attacker may predict a privileged process’s log file path
and pre-create a symbolic link to a sensitive file in its place. When
that privileged process runs, it will follow the planted symlink and
overwrite that sensitive file. To fix that, glog now causes the program
to exit (with status code 2) when it finds that the configured log file
already exists.

The following Go packages have been rebuilt in order to fix this
issue:

golang-grpc-gateway 1.6.4-2+deb10u1
mtail 3.0.0~rc19-2+deb10u1
prometheus-mongodb-exporter 1.0.0+git20180522.e755a44-1+deb10u1

ELA-1417-1 golang-glog security update