| Summary: | golang new security issue CVE-2014-7189 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, pterjan, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/615623/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | golang-1.3.1-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-26 21:40:20 CEST
David Walser
2014-09-26 21:40:38 CEST
CC:
(none) =>
bruno, pterjan Fixed in cauldron. Waiting for feedback for mga4 Status:
NEW =>
ASSIGNED golang-1.3.2-2.mga5 uploaded for Cauldron. Version:
Cauldron =>
4 I submitted golang as well for mga4, by using the upstream patch mentioned upper, and adapting it to the directory structure. Thanks Bruno! Advisory: ======================== Updated golang packages fix security vulnerability: Go 1.1 through 1.3.2 has an issue that affects programs that use crypto/tls to implement a TLS server. If the server enables TLS client authentication using certificates and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes (CVE-2014-7189). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7189 http://openwall.com/lists/oss-security/2014/09/26/28 ======================== Updated packages in core/updates_testing: ======================== golang-1.1.2-3.1.mga4 golang-vim-1.1.2-3.1.mga4 emacs-golang-1.1.2-3.1.mga4 xemacs-golang-1.1.2-3.1.mga4 from golang-1.1.2-3.1.mga4.src.rpm Assignee:
joequant =>
qa-bugs Testing complete mga4 64 Just testing the package is functional. Testing with some examples from the golang tour and following the first part of a tutorial video.. http://tour.golang.org http://www.youtube.com/watch?v=XCsL89YtqCs Hello world example: $ cat hello.go package main import "fmt" func main() { fmt.Println("Hello, World!") } Web server example: $ cat webserver.go package main import ( "fmt" "net/http" ) type Hello struct{} func (h Hello) ServeHTTP( w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, "Hello!") } func main() { var h Hello http.ListenAndServe("localhost:4000", h) } Using these for testing.. $ mkdir gocode $ cd .. $ mkdir gocode $ export GOPATH=$HOME/gocode $ cd gocode $ mkdir -p src/examples $ cd src/examples $ mkdir hello $ cd hello $ go install $ ls ~/gocode/bin hello* $ ~/gocode/bin/hello Hello, World! $ cd .. $ mkdir webserver $ cd webserver $ go install $ ls ~/gocode/bin hello* webserver* $ ~/gocode/bin/webserver Open http://localhost:4000 in a browser.. Hello! Whiteboard:
(none) =>
has_procedure mga4-64-ok Testing complete mga4 32 Whiteboard:
has_procedure mga4-64-ok =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0410.html Status:
ASSIGNED =>
RESOLVED
David Walser
2014-10-09 18:34:30 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/615623/ |