| Summary: | golang new security issues CVE-2020-15586 and CVE-2020-16845 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bruno, davidwhodgins, herman.viaene, smelror, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | golang-1.12.17-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-08-05 00:44:19 CEST
David Walser
2020-08-05 00:44:30 CEST
Whiteboard:
(none) =>
MGA7TOO Fedora has issued an advisory for this on July 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/ They upgraded to 1.14.6. Assigning to Joseph who is the main maintainer; CC'ing Stig as having done recent updates. CC:
(none) =>
smelror
David Walser
2020-08-05 20:19:33 CEST
CC:
(none) =>
bruno Cauldron has already been updated to 1.14.6. Do you think updating 1.13.14 on MGA7 is sufficient? See https://github.com/golang/go/issues/40211 Cheers, Stig Source RPM:
golang-1.14.4-2.mga8.src.rpm, golang-1.12.17-1.mga7.src.rpm =>
golang-1.12.17-1.mga7.src.rpm As long as we can still build docker with it, I think that's fine. openSUSE has issued an advisory today (August 12): https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html The issue is fixed upstream in 1.13.15 and 1.14.7. Summary:
golang new security issue CVE-2020-15586 =>
golang new security issues CVE-2020-15586 and CVE-2020-16845 Go has been updated to 1.15 on Cauldron. Advisory: ======================== Updated golang packages fix security vulnerabilities: Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected (CVE-2020-15586). Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs (CVE-2020-16845). The golang package has been updated to version 1.13.15, fixing these issues and containing several other bug fixes and enhancements. See the 1.13 release notes and other references for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845 https://golang.org/doc/go1.13 https://golang.org/doc/devel/release.html#go1.13.minor https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-announce/NyPIaucMgXo https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html ======================== Updated packages in core/updates_testing: ======================== golang-1.13.15-1.mga7 golang-docs-1.13.15-1.mga7 golang-misc-1.13.15-1.mga7 golang-tests-1.13.15-1.mga7 golang-src-1.13.15-1.mga7 golang-bin-1.13.15-1.mga7 golang-shared-1.13.15-1.mga7 from golang-1.13.15-1.mga7.src.rpm Assignee:
joequant =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. Copied suffixarray folder from testdata into my home and tried to the "go build" on these, but got either no feedback at all (and no new file generated) or missing items. Giving up. CC:
(none) =>
herman.viaene We usually test this by building the docker package. OK Herman and David, about to try that. CC:
(none) =>
tarazed25 mga7, x86_64
$ mgarepo co -d 7 docker
Using the svn mirror.
HTTP request sent, awaiting response... 200 OK
Length: 15299640 (15M) [application/x-tar]
Saving to: ‘docker/SOURCES/v18.09.9.tar.gz’
docker/SOURCES/v18. 100%[===================>] 14.59M 3.31MB/s in 4.4s
2020-08-14 19:27:31 (3.31 MB/s) - ‘docker/SOURCES/v18.09.9.tar.gz’ saved [15299640/15299640]
$ cd docker
$ bm -ls
creating package list
processing package docker-%{moby_version}-%mkrel 1
building source package
warning: Macro expanded in comment on line 40: %{shortcommit}
Wrote: /home/lcl/qa/golang/docker/SRPMS/docker-18.09.9-1.1.mga7.src.rpm
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 40: %{shortcommit}
In order to satisfy the 'go-md2man' dependency, one of the following packages is needed:
1- go-md2man-1.0.8-1.mga7.x86_64: Transform md into man pages (to install)
2- golang-github-cpuguy83-go-md2man-1.0.8-1.mga7.x86_64: Process markdown into manpages (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release")
go-md2man 1.0.8 1.mga7 x86_64
golang-net-devel 0.1.git84a4> 9.mga7 x86_64
lib64ltdl-devel 2.4.6 9.mga7 x86_64
(medium "Core Updates")
lib64devmapper-devel 1.02.154 1.1.mga7 x86_64
(medium "Core Updates Testing")
btrfs-progs 5.7 1.mga7 x86_64
lib64btrfs-devel 5.7 1.mga7 x86_64
lib64btrfs0 5.7 1.mga7 x86_64
4.1MB of additional disk space will be used.
1.9MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) Y
......
$ bm -l
creating package list
processing package docker-%{moby_version}-%mkrel 1
building source and binary packages
warning: Macro expanded in comment on line 40: %{shortcommit}
Executing(%prep): /bin/sh -e /home/lcl/qa/golang/docker/BUILDROOT/rpm-tmp.j6sAeg
+ umask 022
+ cd /home/lcl/qa/golang/docker/BUILD
......
+ umask 022
+ cd /home/lcl/qa/golang/docker/BUILD
+ cd docker-ce-18.09.9
+ /usr/bin/rm -rf /home/lcl/qa/golang/docker/BUILDROOT/docker-18.09.9-1.1.mga7.x86_64
+ exit 0
succeeded!
$ cd ../RPMS/x86_64
$ ls * | grep 09.9
docker-18.09.9-1.1.mga7.x86_64.rpm
docker-devel-18.09.9-1.1.mga7.x86_64.rpm
docker-fish-completion-18.09.9-1.1.mga7.x86_64.rpm
docker-logrotate-18.09.9-1.1.mga7.x86_64.rpm
docker-nano-18.09.9-1.1.mga7.x86_64.rpm
docker-unit-test-18.09.9-1.1.mga7.x86_64.rpm
docker-vim-18.09.9-1.1.mga7.x86_64.rpm
docker-zsh-completion-18.09.9-1.1.mga7.x86_64.rpm
Checked against the already installed docker:
$ rpm -q docker
docker-18.09.9-1.1.mga7
Skipping the HelloWorld stage - this looks OK.Whiteboard:
(none) =>
MGA7-64-OK Had a look at suffixarray but could not figure out how to run the example_test. A simple hello.go runs and builds fine.
$ export GOHOME=/home/lcl/go/
Sources in ~/go/src
Used a local QA directory for testing.
$ cd ~/qa/golang
$ go run hello.go
Good morning QA
!AQ gninrom dooG
$ go build hello.go
$ ./hello
Good morning QA
!AQ gninrom dooG
$ cd ~/go/src
$ ls
example_test.go hello.go sais.go suffixarray.go
gen.go sais2.go stringutil/ suffixarray_test.go
gen.go is the only other file with a main function and looks like it regenerates sais.go but in fact does not work from the test directory - it has to be run in the src directory.
$ grep -H "func main()" *
gen.go:func main() {
hello.go:func main() {
$ cd ~/qa/golang
$ go build gen.go
can't load package: package gen.go: cannot find package "gen.go" in any of:
/usr/lib/golang/src/gen.go (from $GOROOT)
/home/lcl/go/src/gen.go (from $GOPATH)
$ cd $GOPATH/src
$ go build gen.go
$ ll
-rwxr-xr-x 1 lcl lcl 2252965 Aug 15 01:31 gen*
-rw-r--r-- 1 lcl lcl 1932 Aug 15 00:12 gen.go
-rw-r--r-- 1 lcl lcl 53710 Aug 15 01:32 sais2.go
-rw-r--r-- 1 lcl lcl 33261 Aug 15 00:12 sais.go
Taking this no further - there is obviously a lot more to know about file disposition in golang.
s/GOHOME/GOPATH/
David Walser
2020-08-16 16:06:15 CEST
Keywords:
(none) =>
validated_update Advisory and package list in Comment 7.
Dave Hodgins
2020-08-18 18:00:03 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0325.html Resolution:
(none) =>
FIXED |