Bug 30835

Summary: golang new security issues CVE-2022-27664 and CVE-2022-32190
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.17.13-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30834    

Description David Walser 2022-09-09 19:12:37 CEST 
Golang 1.18.6 and 1.19.1 have been released on September 6, fixing security issues:
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s

Mageia 8 is also affected.
David Walser 2022-09-09 19:12:57 CEST

Status comment: (none) => Fixed upstream in 1.18.6 and 1.19.1
Whiteboard: (none) => MGA8TOO

David Walser 2022-09-09 19:13:37 CEST

Blocks: (none) => 30834

Comment 1 David Walser 2022-09-14 00:11:32 CEST 
Fedora has issued an advisory for this today (September 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/
Comment 2 Bruno Cornec 2022-09-15 23:25:37 CEST 
golang 1.19.1 pushed to cauldron

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 3 Bruno Cornec 2022-09-15 23:27:20 CEST 
Do you want me to push 1.18.6 as an update to mga8 ? that shouldn't be a big issue per se IMO.
Comment 4 David Walser 2022-09-15 23:32:50 CEST 
That sounds like the right way to go.
Comment 5 David Walser 2022-09-22 14:00:45 CEST 
openSUSE has issued an advisory for this on September 21:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/45CM4RE6QKP7LNNZK47362IEHI6U3EGX/
Comment 6 Bruno Cornec 2022-10-01 19:16:05 CEST 
1.18.6 pushed to update_testing for mga8

Assignee: bruno => qa-bugs

Comment 7 David Walser 2022-10-01 21:13:34 CEST 
golang-tests-1.18.6-1.mga8
golang-1.18.6-1.mga8
golang-misc-1.18.6-1.mga8
golang-docs-1.18.6-1.mga8
golang-src-1.18.6-1.mga8
golang-shared-1.18.6-1.mga8
golang-bin-1.18.6-1.mga8

from golang-1.18.6-1.mga8.src.rpm

CC: (none) => bruno
Status comment: Fixed upstream in 1.18.6 and 1.19.1 => (none)

Comment 8 Len Lawrence 2022-10-02 19:23:17 CEST 
mga8, x86_64

No problems updating using qarepo and drakrpm-update.
Successful rebuild of current docker RPMs following the well-tested procedure.
$ cd
$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
$ bm -l
....
succeeded!
$ cd RPMS/x86_64
$ ll
total 67712
-rw-r--r-- 1 lcl lcl 32922665 Oct  2 18:07 docker-20.10.16-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl 36349099 Oct  2 18:07 docker-devel-20.10.16-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    14607 Oct  2 18:06 docker-fish-completion-20.10.16-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7560 Oct  2 18:06 docker-logrotate-20.10.16-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl     7156 Oct  2 18:06 docker-nano-20.10.16-3.mga8.x86_64.rpm
-rw-r--r-- 1 lcl lcl    25328 Oct  2 18:06 docker-zsh-completion-20.10.16-3.mga8.x86_64.rpm

Good to go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-10-03 02:24:27 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-05 01:46:21 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2022-10-05 07:24:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0356.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED