Security information

Updated the following middleware component version to resolve vulnerabilities in MSR:

  • [ENGDTR-4293] Golang 1.21.12

Resolved CVEs, as detailed:

CVE

Status

Problem details from upstream

CVE-2024-24790

Resolved

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2021-4048

Not Vulnerable

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.

CVE-2023-50447

Not Vulnerable

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).