| Summary: | golang new security issues CVE-2021-39293 and CVE-2021-38297 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, davidwhodgins, joequant, mageia, marja11, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | golang-1.15.15-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-10-04 21:40:57 CEST
David Walser
2021-10-04 21:41:05 CEST
Whiteboard:
(none) =>
MGA8TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
joequant
David Walser
2021-10-06 17:03:37 CEST
CC:
(none) =>
bruno openSUSE has issued an advisory for this on October 6: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5EY52N4KALEDKULS6YHUPW2C7OJTGHTS/ pushed into mga8/9
src:
- golang-1.15.15-1.1.mga8Version:
Cauldron =>
8 (In reply to David Walser from comment #0) > They also made an announcement of an upcoming advisory and 1.16.9 release > today (October 4) which will be released on October 7: > https://groups.google.com/g/golang-announce/c/7efr4VBoZIw Here's the announcement from October 7: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A Cauldron needs to be updated again to 1.16.9. I'm not sure if Mageia 8 is affected by this new issue. Summary:
golang new security issue CVE-2021-39293 =>
golang new security issues CVE-2021-39293 and CVE-2021-38297 golang-1.17.2-1.mga9 uploaded for Cauldron by Bruno. Version:
Cauldron =>
8 same version uploaded for mga8 into update_testing Assignee:
mageia =>
qa-bugs golang-docs-1.17.2-1.mga8 golang-misc-1.17.2-1.mga8 golang-tests-1.17.2-1.mga8 golang-src-1.17.2-1.mga8 golang-race-1.17.2-1.mga8 golang-shared-1.17.2-1.mga8 golang-bin-1.17.2-1.mga8 from golang-1.17.2-1.mga8.src.rpm mga8, x64
Installed listed golang components.
$ go version
go version go1.15.15 linux/amd64
Set GOPATH and GOROOT variables.
$ go run src/hello.go
Good morning QA
!AQ gninrom dooG
Updated the files from updates testing.
qarepo failed on four of the files -
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
Tried again and received the rest of the files but failed on the pubkey.
Tried again and the pubkey was received.
Proceeded with MageiaUpdate and that failed.
This keeps happening so I am abandoning qarepo.
Installed all the packages manually.
$ rpm -qa | grep golang
golang-docs-1.17.2-1.mga8
golang-1.17.2-1.mga8
golang-tests-1.17.2-1.mga8
golang-bin-1.17.2-1.mga8
golang-race-1.17.2-1.mga8
golang-misc-1.17.2-1.mga8
golang-src-1.17.2-1.mga8
golang-shared-1.17.2-1.mga8
Ran the helloworld test - OK.
Built docker using mgarepo and the build machine.
$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
.................
Proceed with the installation of the 59 packages? (Y/n)
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
succeeded!
$ cd RPMS/x86_64
$ ls
docker-20.10.9-1.mga8.x86_64.rpm
docker-devel-20.10.9-1.mga8.x86_64.rpm
docker-fish-completion-20.10.9-1.mga8.x86_64.rpm
docker-logrotate-20.10.9-1.mga8.x86_64.rpm
docker-nano-20.10.9-1.mga8.x86_64.rpm
docker-zsh-completion-20.10.9-1.mga8.x86_64.rpm
Giving this the go-ahead and validating.Whiteboard:
(none) =>
MGA8-64-OK
Dave Hodgins
2021-10-13 20:59:01 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0475.html Resolution:
(none) =>
FIXED |