| Summary: | golang-x-crypto new security issues CVE-2021-43565 and CVE-2022-27191 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Guillaume Rousse <guillomovitch> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bruno, joequant, mageia, nicolas.salguero |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | golang-x-crypto-0-3.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-04-22 20:19:36 CEST
David Walser
2022-04-22 20:19:51 CEST
CC:
(none) =>
joequant already fixed in cauldron Whiteboard:
MGA8TOO =>
(none) Apparently docker-containerd needs to be rebuilt after fixing this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/ (In reply to David Walser from comment #2) > Apparently docker-containerd needs to be rebuilt after fixing this: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/ and so does golang-github-envoyproxy-protoc-gen-validate: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEX3J6S5PUUNLWYVJJLRZR5OLVQSEG63/ and *possibly* golang-github-grpc-ecosystem-gateway (Fedora's is 2.x): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROCG2IVQDIHQBGYEHNBEBAIBBAJPCP66/ and golang-github-spf13-cobra: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6O2PQN6JSSYP7W2TNO3CHA3MCRVZTCRF/ and golang-gopkg-src-d-git-4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HJDTRAFERVOQ4XRGCNPWBPV4NSEY7AHU/ and golang-x-perf: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY243XWDC6FN2CYDWS6UTH23QFK7O4FB/ SUSE has issued an advisory on May 3: https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html Their docker-containerd was affected by this and another golang-x-crypto issue. Summary:
golang-x-crypto new security issue CVE-2022-27191 =>
golang-x-crypto new security issues CVE-2021-43565 and CVE-2022-27191 (In reply to David Walser from comment #7) > and golang-x-perf: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/NY243XWDC6FN2CYDWS6UTH23QFK7O4FB/ and golang-x-exp: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSK2WSATFKWMIL25LDCZSLZODLXQ47H4/ Updating to a new git snapshot requires new dependencies, such as golang-x-term, which were not present in Mageia 8. What is the procedure for introducing new packages in updates ? svn cp svn+ssh://svn.mageia.org/svn/packages/cauldron/golang-x-term svn+ssh://svn.mageia.org/svn/packages/updates/8/ -m 'backport golang-x-term dependency for golang-x-crypto update' Something like that. Then you can mgarepo co it and set the release tag back to 1 if it isn't already. Built so far by Guillaume: golang-x-term-devel-0-1.mga8 golang-x-crypto-devel-0-0.31.1.mga8 from SRPMS: golang-x-term-0-1.mga8.src.rpm golang-x-crypto-0-0.31.1.mga8.src.rpm Possibly needed rebuilds still pending. (In reply to David Walser from comment #8) > SUSE has issued an advisory on May 3: > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > Their docker-containerd was affected by this and another golang-x-crypto > issue. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/
David Walser
2022-12-12 17:48:12 CET
Blocks:
(none) =>
31268 (In reply to David Walser from comment #2) > Apparently docker-containerd needs to be rebuilt after fixing this: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/ For me docker-containerd is not concerned as patches are related to the ssh subsystem which is not relevant to docker-containerd. CC:
(none) =>
bruno Debian-LTS has issued an advisory on June 16: https://www.debian.org/lts/security/2023/dla-3455 It lists some older issues that might affect this.
Bruno Cornec
2023-07-25 16:59:20 CEST
Blocks:
31268 =>
(none) (In reply to David Walser from comment #13) > (In reply to David Walser from comment #8) > > SUSE has issued an advisory on May 3: > > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > > > Their docker-containerd was affected by this and another golang-x-crypto > > issue. > > Equivalent openSUSE advisory: > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/ Bruno, What about this one w.r.t docker-containerd? (In reply to David Walser from comment #16) > (In reply to David Walser from comment #13) > > (In reply to David Walser from comment #8) > > > SUSE has issued an advisory on May 3: > > > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > > > > > Their docker-containerd was affected by this and another golang-x-crypto > > > issue. > > > > Equivalent openSUSE advisory: > > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > > org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/ > > Bruno, > > What about this one w.r.t docker-containerd? My comment has not changed since comment 14: For me docker-containerd is not concerned as patches are related to the ssh subsystem which is not relevant to docker-containerd. Mageia 8 EOL CC:
(none) =>
nicolas.salguero |