Bug 31769

Summary: golang new security issues CVE-2023-2453[4678]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.20.2-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-04-06 19:10:17 CEST 
Go 1.20.3 and Go 1.19.8 have been released on April 4, fixing security issues:
https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8

SUSE has issued an advisories for this today (April 6):
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014420.html
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014421.html

They also determined that conmon and skopeo needed to be rebuilt with this update:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014423.html
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014387.html

Our skopeo package has a lot of other issues because it's unmaintained and/or has an unresponsive maintainer (see Bug 28885).

Mageia 8 is also affected.
David Walser 2023-04-06 19:10:38 CEST

Status comment: (none) => Fixed upstream in 1.19.8 and 1.20.3
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2023-04-09 22:10:35 CEST 
1.20.3 on its way to updates_testing for cauldron.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2023-04-09 23:00:06 CEST 
1.19.8 on its way to updates_testing for mga8

Assignee: bruno => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.19.8 and 1.20.3 => (none)

Comment 3 David Walser 2023-04-09 23:11:57 CEST 
Note that the freeze move request for Cauldron is pending.

Mageia 8 update:
golang-1.19.8-1.mga8
golang-tests-1.19.8-1.mga8
golang-misc-1.19.8-1.mga8
golang-docs-1.19.8-1.mga8
golang-src-1.19.8-1.mga8
golang-shared-1.19.8-1.mga8
golang-bin-1.19.8-1.mga8

from golang-1.19.8-1.mga8.src.rpm

CC: (none) => bruno

Comment 4 Herman Viaene 2023-04-11 15:11:36 CEST 
Trying to follow Len's lead in bug 31575, but
$ mgarepo co docker
Host key verification failed.
svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/cauldron/docker/current'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

CC: (none) => herman.viaene

Comment 5 David Walser 2023-04-11 15:58:58 CEST 
You need to use anonymous access to SVN.  See mgarepo.conf (and I believe this is documented on the wiki somewhere too).
Comment 6 Herman Viaene 2023-04-11 16:24:50 CEST 
Uncommented line in mgarepo.conf
mirror = svn://svn.mageia.org/svn/packages/
Then I could proceed
$ cd docker
$ mgarepo co docker
Using the svn mirror.
To be able to commit changes, use 'mgarepo switch' first.
A    docker/SOURCES
A    docker/SOURCES/sha1.lst
A    docker/SOURCES/docker.service
A    docker/SOURCES/docker-network.sysconfig
A    docker/SOURCES/docker-network-cleanup.sh
A    docker/SOURCES/docker-storage.sysconfig
A    docker/SOURCES/docker.socket
A    docker/SOURCES/docker.sysconfig
A    docker/SOURCES/docker-logrotate.sh
A    docker/SOURCES/README.docker-logrotate
A    docker/SPECS
A    docker/SPECS/docker.spec
Checked out revision 1952681.
etc......

$ bm -s
error: couldn't guess SPECS directory
Comment 7 David Walser 2023-04-11 16:26:11 CEST 
cd docker
Comment 8 Herman Viaene 2023-04-11 17:41:00 CEST 
$ cd docker
[tester8@mach7 docker]$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source package
succeeded!
$ bm -l
After installing a load of other golang packages I get 
$ bm -l
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
warning: Macro expanded in comment on line 43: %{shortcommit_moby}

warning: line 120: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
warning: line 122: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
Executing(%prep): /bin/sh -e /home/tester8/docker/docker/BUILDROOT/rpm-tmp.u8R79b
+ umask 022
+ cd /home/tester8/docker/docker/BUILD
and more ........
and at the end
Executing(%clean): /bin/sh -e /home/tester8/docker/docker/BUILDROOT/rpm-tmp.3bucDd
+ umask 022
+ cd /home/tester8/docker/docker/BUILD
+ cd moby-20.10.22
+ /usr/bin/rm -rf /home/tester8/docker/docker/BUILDROOT/docker-20.10.22-1.mga8.x86_64
+ RPM_EC=0
++ jobs -p
+ exit 0
succeeded!
So OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-04-11 20:15:28 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-15 19:18:23 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2023-04-15 21:05:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0145.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED