Bug 30217

Summary: golang new security issue CVE-2022-24921
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.17.7-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-03-29 01:40:08 CEST 
Upstream has announced 1.17.8 on March 3, fixing a security issue:
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

Mageia 8 is also affected.
David Walser 2022-03-29 01:40:23 CEST

CC: (none) => bruno
Status comment: (none) => Fixed upstream in 1.17.8
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-03-29 21:34:34 CEST 
Assigning this to Bruno who did the last few 'golang' version updates to fix bugs, like this one.

CC: bruno => (none)
Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2022-03-30 12:38:23 CEST 
Thanks Lewis.
1.17.8 pushed to both cauldron and updates_testing of 8.

Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: bruno => qa-bugs
CC: (none) => bruno

Comment 3 David Walser 2022-03-30 15:52:22 CEST 
golang-1.17.8-1.mga8
golang-misc-1.17.8-1.mga8
golang-docs-1.17.8-1.mga8
golang-src-1.17.8-1.mga8
golang-shared-1.17.8-1.mga8
golang-bin-1.17.8-1.mga8

from golang-1.17.8-1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.8 => (none)

Comment 4 Len Lawrence 2022-03-30 17:04:33 CEST 
mga8, x64

Used mgarepo and bm to perform a local build of docker as in numerous other  update tests of golang.  That all ran very smoothly.
$ cd docker
$ ls
BUILD/  BUILDROOT/  RPMS/  SOURCES/  SPECS/  SRPMS/
$ cd RPMS/x86_64
$ ll
total 68884
-rw-r--r-- 1 lcl lcl 33599070 Mar 30 15:53 docker-20.10.14-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl 36872362 Mar 30 15:54 docker-devel-20.10.14-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    14607 Mar 30 15:53 docker-fish-completion-20.10.14-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7557 Mar 30 15:53 docker-logrotate-20.10.14-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7155 Mar 30 15:53 docker-nano-20.10.14-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    25328 Mar 30 15:53 docker-zsh-completion-20.10.14-3.mga8.x86_64.rpm
$ rpm -q docker
docker-20.10.14-3.mga8

This update is good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-03-30 18:30:59 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-31 20:58:04 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-03-31 21:56:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0126.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED