{"id":"MGASA-2025-0205","summary":"Updated golang packages fix security vulnerabilities","details":"Various uses of the Go toolchain in untrusted VCS repositories can\nresult in unexpected code execution. When using the Go toolchain\nin directories fetched using various VCS tools (such as directly\ncloning Git or Mercurial repositories) can cause the toolchain to\nexecute unexpected commands, if said directory contains multiple\nVCS configuration metadata (such as a '.hg' directory in a Git\nrepository). This is due to how the Go toolchain attempts to resolve\nwhich VCS is being used in order to embed build information in binaries\nand determine module versions.\n","modified":"2026-01-30T01:17:42.309070Z","published":"2025-07-11T18:52:28Z","related":["CVE-2025-4674"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0205.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34456"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/07/08/5"},{"type":"REPORT","url":"https://github.com/golang/go/issues/74382"}],"affected":[{"package":{"name":"golang","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/golang?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.24.5-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0205.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}