| Summary: | golang-x-net new security issue CVE-2021-33194 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Guillaume Rousse <guillomovitch> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | guillomovitch, nicolas.salguero, tarazed25 |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | golang-x-net-0-0.6.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-03-29 01:41:28 CEST
Updated package uploaded for Cauldron by Guillaume. golang-x-net-devel-0-0.6.1.mga8 golang-x-net-http-devel-0-0.6.1.mga8 from golang-x-net-0-0.6.1.mga8.src.rpm Assignee:
guillomovitch =>
qa-bugs mga8, x64 There appears to be nothing which depends on these packages which are not themselves development packages so this should be passed if they install cleanly. So far they do not. Sorry, the following package cannot be selected: - golang-x-net-http-devel-0-0.6.1.mga8.noarch (due to unsatisfied golang(golang.org/x/term)) $ rpm -q golang-x-net-devel golang-x-net-devel-0-0.6.1.mga8 $ urpmq --whatrequires golang-x-net-http-devel golang-etcd-devel golang-github-aws-sdk-devel golang-github-git-lfs-devel golang-github-google-devel golang-github-jcmturner-rpc-devel golang-github-onsi-gomega-devel golang-github-prometheus-common-promlog-devel golang-github-shurcool-httpgzip-devel golang-github-soheilhy-cmux-devel golang-github-ssgelm-cookiejarparser-devel golang-google-grpc-status-devel golang-grpc-go4-devel golang-x-build-devel golang-x-crypto-devel Setting feedback marker. Keywords:
(none) =>
feedback Guillaume, see the issue in Comment 2. Also, does this fix CVE-2022-1705 and CVE-2022-32148? https://access.redhat.com/errata/RHSA-2022:7529 Keywords:
feedback =>
(none) (In reply to David Walser from comment #3) > Also, does this fix CVE-2022-1705 and CVE-2022-32148? > https://access.redhat.com/errata/RHSA-2022:7529 Also CVE-2021-36221: https://access.redhat.com/errata/RHSA-2022:7457 Also CVE-2021-33197: https://access.redhat.com/errata/RHSA-2022:7954 Also CVE-2022-41723: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H3TV3H3BVCMDSV3OJHDP2XEDXZENDIG5/ https://bugzilla.redhat.com/show_bug.cgi?id=2178358 All vulnerabilites referenced here seems to be related with go itself, not with golang-x-net. The only one where golang-x-net is cited explicitely (CVE-2022-41723) mention 0.7 as the version fixing the issue, which is current cauldron version. If I understand correctly how go static linking works, we should check that everything relying on golang-x-net has been rebuild since this new version release (Sun Feb 26). That's quite easy for direct dependencies (60 different packages, all of them being other go library), but that doesn't cover transitive dependencies... It seems our current update policy doesn't scale with this kind of issue. How do other distribution handle it ? I have seen Fedora rebuild dozens of packages for these kinds of issues, but their build system and procedures makes that a lot easier to manage. I've seen more limited sets of rebuilds in some other distros, and nothing at all from some. We have done updates that required lots of rebuilds before, but usually because of binary-incompatible library updates, not typically for compiler issues. Mageia 8 EOL Resolution:
(none) =>
OLD |