Bug 29391

SUSE advisory for 1.15.15:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009321.html

openSUSE advisories for this from today:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QBLRS3I4ZUSJEMER3J6HA6RD4XDIQYHC/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7FPUQARVFSVTNWXPM6OPHZLDEEMVSSM3/

Various people commit 'golang', so assigning globally; a couple of the most relevant are CC'd.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009314.html
https://groups.google.com/g/golang-announce/c/uHACNfXAZqk
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009321.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QBLRS3I4ZUSJEMER3J6HA6RD4XDIQYHC/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7FPUQARVFSVTNWXPM6OPHZLDEEMVSSM3/
========================

Updated packages in core/updates_testing:
========================
golang-docs-1.15.15-1.mga8
golang-misc-1.15.15-1.mga8
golang-1.15.15-1.mga8
golang-tests-1.15.15-1.mga8
golang-src-1.15.15-1.mga8
golang-shared-1.15.15-1.mga8
golang-bin-1.15.15-1.mga8

from SRPM:
golang-1.15.15-1.mga8.src.rpm

CVE: (none) => CVE-2021-36221
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.15.15 and 1.16.7 => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)

mga8, x86

Could not find a specific reproducer for the issue in CVE-202136221 so went ahead with the updates.
Built docker to test golang capabilities, our traditional test.
$ mgarepo co docker
$ cd docker
$ ll
total 8
drwxr-xr-x 2 lcl lcl 4096 Aug 30 22:45 SOURCES/
drwxr-xr-x 2 lcl lcl 4096 Aug 30 22:45 SPECS/
$ bm -ls
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source package
warning: Macro expanded in comment on line 40: %{shortcommit_moby}
warning: line 115: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
warning: line 117: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
Wrote: /home/lcl/go/golang/docker/SRPMS/docker-20.10.5-1.mga8.src.rpm
succeeded!
$ ls
BUILD/  BUILDROOT/  RPMS/  SOURCES/  SPECS/  SRPMS/
$ sudo urpmi --buildrequires SPECS/docker.spec
.............
Proceed with the installation of the 48 packages? (Y/n)
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
<3 minute wait - 2 cores running flat out>
succeeded!
$ cd RPMS/x86_64
$ ll
total 74104
-rw-r--r-- 1 lcl lcl 36386250 Aug 30 22:54 docker-20.10.5-1.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl 39430606 Aug 30 22:54 docker-devel-20.10.5-1.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    14607 Aug 30 22:53 docker-fish-completion-20.10.5-1.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7555 Aug 30 22:53 docker-logrotate-20.10.5-1.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7151 Aug 30 22:53 docker-nano-20.10.5-1.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    25317 Aug 30 22:53 docker-zsh-completion-20.10.5-1.mga8.x86_64.rpm

OK for x86_64.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0416.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED