Bug 18482

Summary: golang new security issue CVE-2016-3959
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685138/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: golang-1.4.3-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-18 18:32:04 CEST 
OpenSuSE has issued an advisory today (May 18):
https://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html

The CVE-2015-8618 issue they also fixed only affects 1.5+.

They apparently believe that CVE-2016-3959 affects 1.4.x though, hence this update.

The issue is fixed in version 1.5.4 and 1.6.1.
Comment 1 Bruno Cornec 2016-05-22 02:05:22 CEST 
Hello,

I've backported the golang 1.6.2 that we have in cauldron for mga6.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Assignee: bruno => qa-bugs

Comment 2 David Walser 2016-05-22 02:15:15 CEST 
Can't close it until it's tested and pushed.

I guess the best test case for this would be to use the updated golang to build the docker package.  Would you agree Bruno?

Status: RESOLVED => REOPENED
CC: (none) => bruno
Resolution: FIXED => (none)

Comment 3 Bruno Cornec 2016-05-22 02:41:05 CEST 
Yep. Let me do that. I was indeed looking at the docker BR as well ;-)

Will let you know when it's done.
Comment 4 Bruno Cornec 2016-05-23 02:05:51 CEST 
I've rebuild bother docker 1.9.1 for mga5 and docker 1.11.1 on mga5 with tha version without issue, so at least it seems to work for that requirement.
Comment 5 David Walser 2016-05-23 02:23:15 CEST 
Successfully used to build the docker update, marking as OK.

Advisory in SVN updated.

type: security
subject: Updated golang package fixes CVE-2016-3959
CVE:
 - CVE-2016-3959
src:
  5:
   core:
     - golang-1.6.2-7.mga5
description: |
  Updated golang packages fix security vulnerability:

  Go has an infinite loop in several big integer routines that makes
  Go programs vulnerable to remote denial of service attacks. Programs
  using HTTPS client authentication or the Go ssh server libraries are
  both exposed to this vulnerability (CVE-2016-3959).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=18482
 - https://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html

Updated packages:
================
golang-1.6.2-7.mga5
golang-docs-1.6.2-7.mga5
golang-misc-1.6.2-7.mga5
golang-tests-1.6.2-7.mga5
golang-src-1.6.2-7.mga5
golang-bin-1.6.2-7.mga5
golang-shared-1.6.2-7.mga5

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK advisory

Comment 6 claire robinson 2016-05-23 21:51:31 CEST 
Good work, thanks. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-05-24 00:01:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0207.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED