Login
Newsletter
Werbung
Sicherheit: Preisgabe von Informationen in go-gh
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in go-gh
ID: USN-7362-1
Distribution: Ubuntu
Plattformen: Ubuntu 24.04 LTS, Ubuntu 24.10
Datum: Fr, 21. März 2025, 19:09
Referenzen: https://launchpad.net/ubuntu/+source/golang-github-cli-go-gh-v2/2.6.0-1ubuntu0.24.10.1
https://www.cve.org/CVERecord?id=CVE-2024-53859
https://ubuntu.com/security/notices/USN-7362-1
Applikationen: go-gh

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4488509032814214262==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------Fp0lHP3lwKwjSXavnEOqNPQY"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------Fp0lHP3lwKwjSXavnEOqNPQY
Content-Type: multipart/mixed;
 boundary="------------au6W1nyCbr0U9ZvLhEbmN6mw";
 protected-headers="v1"
From: Julia Sarris <julia.sarris@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <d4be19b0-ee13-42d5-ada9-f080ecb15b71@canonical.com>
Subject: [USN-7362-1] go-gh vulnerability

--------------au6W1nyCbr0U9ZvLhEbmN6mw
Content-Type: multipart/mixed;
 boundary="------------KAFWSPuCZQHp4qF2z5uP08LV"

--------------KAFWSPuCZQHp4qF2z5uP08LV
Content-Type: multipart/alternative;
 boundary="------------9KFVObhshGKALFIfwm3i5pTf"

--------------9KFVObhshGKALFIfwm3i5pTf
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================

Ubuntu Security Notice USN-7362-1
March 20, 2025

golang-github-cli-go-gh-v2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS

Summary:

go-gh could be made to expose sensitive information over the
network.

Software Description:
- golang-github-cli-go-gh-v2: Go module for interacting with gh and the 
GitHub API from the command line

Details:

It was discovered that go-gh incorrectly handled authentication
tokens. An attacker could possibly use this issue to leak
authentication tokens to the wrong host. (CVE-2024-53859)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   golang-github-cli-go-gh-v2-dev  2.6.0-1ubuntu0.24.10.1

Ubuntu 24.04 LTS
   golang-github-cli-go-gh-v2-dev  2.6.0-1ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7362-1 
<https://ubuntu.com/security/notices/USN-7362-1>
   CVE-2024-53859

Package Information:
https://launchpad.net/ubuntu/+source/golang-github-cli-go-gh-v2/2.6.0-1ubuntu0.24.10.1 
<https://launchpad.net/ubuntu/+source/golang-github-cli-go-gh-v2/2.6.0-1ubuntu0.24.10.1>
--------------9KFVObhshGKALFIfwm3i5pTf
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv=3D"Content-Type" content=3D"text/html;
 charset=3DUTF=
-8">
  </head>
  <body>
   
 <p>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D</p>
    <div id=3D":19t" class=3D"a3s aiL ">
      Ubuntu Security Notice USN-7362-1<br>
      March 20, 2025<br>
      <br>
      golang-github-cli-go-gh-v2 vulnerability<br>
      =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D<br>
      <br>
      A security issue affects these releases of Ubuntu and its
      derivatives:<br>
      <br>
      - Ubuntu 24.10<br>
      - Ubuntu 24.04 LTS<br>
      <br>
      Summary:<br>
      <br>
      go-gh could be made to expose sensitive information over the<br>
      network.<br>
      <br>
      Software Description:<br>
      - golang-github-cli-go-gh-v2: Go module for interacting with gh
      and the GitHub API from the command line<br>
      <br>
      Details:<br>
      <br>
      It was discovered that go-gh incorrectly handled
 authentication<br>=

      tokens. An attacker could possibly use this issue to leak <br>
      authentication tokens to the wrong host. (CVE-2024-53859)<br>
      <br>
      Update instructions:<br>
      <br>
      The problem can be corrected by updating your system to the
      following<br>
      package versions:<br>
      <br>
      Ubuntu 24.10<br>
      =C2=A0 golang-github-cli-go-gh-v2-<wbr>dev=C2=A0
 2.6.0-1ubuntu0.24.=
10.1<br>
      <br>
      Ubuntu 24.04 LTS<br>
      =C2=A0 golang-github-cli-go-gh-v2-<wbr>dev=C2=A0
 2.6.0-1ubuntu0.24.=
04.1~esm1<br>
      =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro<br>
      <br>
      In general, a standard system update will make all the necessary
      changes.<br>
      <br>
      References:<br>
      =C2=A0 <a href=3D"https://ubuntu.com/security/notices/USN-7362-1"
        rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://ubuntu.com=
/security/notices/USN-7362-1&amp;source=3Dgmail&amp;ust=3D174257531134500
=
0&amp;usg=3DAOvVaw1thlh3z3m1eBTXjuYJcJM-">https://ubuntu.com/security/no<=
wbr>tices/USN-7362-1</a><br>
      =C2=A0 CVE-2024-53859<br>
      <br>
      Package Information:<br>
      =C2=A0 <a
href=3D"https://launchpad.net/ubuntu/+source/golang-github-cli-go-gh-v2/2=
=2E6.0-1ubuntu0.24.10.1"
        rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://launchpad.=
net/ubuntu/%2Bsource/golang-github-cli-go-gh-v2/2.6.0-1ubuntu0.24.10.1&am=
p;source=3Dgmail&amp;ust=3D1742575311345000&amp;usg=3DAOvVaw2te9lbJaeA0RW
=
zhY22f0cl">https://launchpad.net/ubuntu/+<wbr>source/golang-github-cli-go=
-gh<wbr>-v2/2.6.0-1ubuntu0.24.10.1</a></div>
  </body>
</html>

--------------9KFVObhshGKALFIfwm3i5pTf--

--------------KAFWSPuCZQHp4qF2z5uP08LV
Content-Type: application/pgp-keys;
 name="OpenPGP_0x401EFCBCDA0FF1BD.asc"
Content-Disposition: attachment;
 filename="OpenPGP_0x401EFCBCDA0FF1BD.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGao8McBCAD/mTHpWpp0rMyhX+xQYmuj1DoCiadFZysyAyKIFXODXRSOAQ58
YTf6BEuhPtEamZq+aJEGOTBJmUZxvGMv0Fo5yBN+OGoMA2CJQwxWQCZCptfivOCI
D5p2eANebDVXpZHHgpNwCyFVZR/UfSLMqX/y2wEi1AC4CKc3ihFBWdMJVdDk6zz0
4g/x4w76CZczUpe17QWD1XuAWUxmaVGM/TiKjktq3Lp6yZrb0QSYjCovXAGwfBmz
beludDi+EMDmh76PeKWfqQ38QSPEvN+Lv6OTjPWDfilfuOPpDZA2gsjNj3TaBllL
k9YW98OrqsbegQ0BhPgoPYQ3S15ikv53M8o/ABEBAAHNKUp1bGlhIFNhcnJpcyA8
anVsaWEuc2FycmlzQGNhbm9uaWNhbC5jb20+wsCRBBMBCgA7FiEEOMd9M4Vpc6WH
Yvv+QB78vNoP8b0FAmao8McCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AA
CgkQQB78vNoP8b3fXQf6Awx8Nd5FkMMGdrWqBjIPZv1Ogkka2+PiIqwqcIeQGvam
V/bpIKOCb4QOS4kgQ+hNS1mmK+T/aWXRCYhiBIPAOIbo7jcMGxNz7V3+43RxlNVl
zt3feYM/QAJmgK8bjdCzI5ZQHiyX8pgOieCylRrcjroQHa9CxHej4aJGCaPGLFGo
81lYWJm21NP4LJTLk03ncJT8Ss64R28cOWUHujysxftAPHVYpPLdlwuJ3lgC8M5n
eq0qwsv22j62ldd/J7u2psRSczaU1ve/TfX71ZCyZZiw2Tm5HvaskD+CilXOaL2H
+KediuEtkQk5KKQikg2XtjbqCYyIxQT50v1TIu86ss7ATQRmqPDHAQgA5zGDufJq
9MhhDPJqM3Qz4kQXLKDXz2l5EovU5olrYerGmskpUBUSwfgAeBu9gMP5Y24spir3
eMm6O7m8EJsihMPCw4Iblzi9YZZX1TY3wegRXFIiaqW5kELnjhVnRpS9WQi9FDd9
gGPp7X3iQ8/B6+nyHitqhcj2A+Vpk5HaguY8zl3yEOwFnud5TEbSb/xYz7DhX5uv
B/FZ9rgn+j2N0hC/RVN1MpSRHZEbOCfpaYr/teiQexOWBlVVnZgCkHb9F0NiNImv
dXVZ18jY5wfgxemfgm8l4nDUlSMUIMiwGYekPMEuYvoDNPwfzzlYHKrVoqp54KMd
JALMUar1bVZtxQARAQABwsB2BBgBCgAgFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0F
Amao8McCGwwACgkQQB78vNoP8b10+ggA8nW+R2g9BDvkpurM0lwpaCtgKbaENIGg
lpxNXEEUEW7AaR4Mme+4PA/SdpWrFzVa0OGhqtZxkovUZXpgiLlx5/eR1Bl+TUuO
rjZkjGBy3r2Ce1JLwKilSZk7Bk45L7QDxA+NOLSFS7ADqzv37J2jhpfczqrYdpSj
kHgUvkapbuB0ONpQ/mhH9UDquY3eMGv3GSrvggVS0mKjR6bMl1plBWcfJ+Y//xQc
6S1bBdjbmwKMZjYbvhTpPbVeUOUdOg/0mYC/3rjSO+2OEn1Q+YIdfGqbLpDAbruG
m7XHtUOXesWorhDMzQGRpj7R+ed/9uJs0Nvg5FqAKTrzh+90ngEGuA=3D=3D
=3DQkbp
-----END PGP PUBLIC KEY BLOCK-----

--------------KAFWSPuCZQHp4qF2z5uP08LV--

--------------au6W1nyCbr0U9ZvLhEbmN6mw--

--------------Fp0lHP3lwKwjSXavnEOqNPQY
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0FAmfdaLsFAwAAAAAACgkQQB78vNoP8b0c
DAgApVDywmxLzt7TJhRfl7HnJ4ANX3ElXvKg4QxBGrH5o1DoT16f5y7EBFntTGpSH8qRh5oAVd/M
8xOe90XXB94EoyyPM4zLkLp8ErDXkZdRUJBSDVsRZkZJYaaeZJeLx6XMkBBDDl+C+rTCVrdPmqfh
MNtTRRTRzoN/j4P3EHGmYTFaOJaaWj1qPgd0v6ykavUn1VvCJDFoPnWraFFJ3tZZvV0Yl8XCLm61
UVMPG7R6w+xg47oNkMcZQVKn0VIK5B9/+r0tyq4Yquk3+cDlAjmiyju6O6gF9YRIKf3gNH/OmK9+
JD+e8kaCHJaSpvPGwjtTINAIDLgcuvSttPqzPCFdpw==
=Qepo
-----END PGP SIGNATURE-----

--------------Fp0lHP3lwKwjSXavnEOqNPQY--


--===============4488509032814214262==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============4488509032814214262==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung