Detections
Analytics
TencentOS Server 4: golang (TSSA-2024:0493)
high Nessus Plugin ID 238614
Synopsis
The remote TencentOS Server 4 host is missing one or more security updates.Description
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0493 advisory.Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:
CVE-2024-34158:
Calling Parse on a // +build build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156:
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155:
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-24791:
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an Expect:
100-continue header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending Expect: 100-continue requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
CVE-2024-24790:
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-24789:
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://mirrors.tencent.com/tlinux/errata/tssa-20240493.xml
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156
Plugin Details
Severity: High
ID: 238614
File Name: tencentos_TSSA_2024_0493.nasl
Version: 1.1
Type: local
Family: Tencent Local Security Checks
Published: 6/16/2025
Updated: 6/16/2025
Supported Sensors: Nessus
Vulnerability Information
CPE: p-cpe:/a:tencent:tencentos_server:golang, cpe:/o:tencent:tencentos_server:4
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 10/9/2024
Vulnerability Publication Date: 10/9/2024