Bug 32052

Summary: golang new security issues CVE-2023-2940[2-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.20.4-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-06-26 22:17:18 CEST 
Go 1.20.5 and Go 1.19.10 have been released on June 6, fixing security issues:
https://groups.google.com/g/golang-announce/c/q5135a9d924

Mageia 8 is also affected.

Bruno, if you become aware of a new Golang release before me, please file a bug after checking for the details here:
https://groups.google.com/g/golang-announce
David Walser 2023-06-26 22:17:39 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.19.10 and 1.20.5

Comment 1 Nicolas Lécureuil 2023-06-27 00:24:05 CEST 
fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 8

Nicolas Lécureuil 2023-06-27 00:24:45 CEST

Whiteboard: MGA8TOO => (none)

Comment 2 Bruno Cornec 2023-06-27 00:31:32 CEST 
(In reply to David Walser from comment #0)
> Bruno, if you become aware of a new Golang release before me, please file a
> bug after checking for the details here:
> https://groups.google.com/g/golang-announce

Sorry, in fact I realized that the version existed when trying to fix a security issue for Kubernetes, where they mentionned that their latest version was built with go 1.20.5. So I decided to upgrade it, but forgot to document that.

Will work on mga8 ASAP.

Thanks Nicolas for the move !

Status: NEW => ASSIGNED

Comment 3 David Walser 2023-06-27 00:47:48 CEST 
Nice, good catch!
Comment 4 Bruno Cornec 2023-06-27 01:04:45 CEST 
1.19.10 pushed to updates_testing for mga8

FTR I rebuilt golang 1.19.10 with itself without issue.

Assignee: bruno => qa-bugs

Comment 5 David Walser 2023-06-27 01:19:03 CEST 
golang-1.19.10-1.mga8
golang-tests-1.19.10-1.mga8
golang-misc-1.19.10-1.mga8
golang-docs-1.19.10-1.mga8
golang-src-1.19.10-1.mga8
golang-shared-1.19.10-1.mga8
golang-bin-1.19.10-1.mga8

from golang-1.19.10-1.mga8.src.rpm

Status comment: Fixed upstream in 1.19.10 and 1.20.5 => (none)
CC: (none) => bruno

Comment 6 Len Lawrence 2023-06-29 02:06:41 CEST 
Mageia8, x86_64
Updated all packages without problems.
Tested this in the time-honoured manner by local build of docker.

$ mgarepo co docker
$ cd docker
$ bm -s
$ sudo urpmi --buildrequires SPECS/docker.spec
<That pulled in 52 packages>
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
succeeded!

System version: docker-20.10.22-1.mga8
$ ls RPMS/x86_64
docker-20.10.22-1.mga8.x86_64.rpm

Looks good.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2023-06-30 02:38:16 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:37:10 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-07-07 07:56:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0227.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED