| Summary: | golang new security issues CVE-2023-39326 and CVE-2023-4528[35] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, marja11, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK | ||
| Source RPM: | golang-1.21.0-1.mga9.src.rpm, golang-1.20.5-1.mga9.src.rpm | CVE: | CVE-2023-39326, CVE-2023-45283, CVE-2023-45285 |
| Status comment: | Fixed upstream in 1.21.5 and 1.20.12 | ||
|
Description
Nicolas Salguero
2023-12-13 10:31:50 CET
Nicolas Salguero
2023-12-13 10:33:54 CET
Source RPM:
(none) =>
golang-1.21.0-1.mga9.src.rpm, golang-1.20.5-1.mga9.src.rpm Stig has done the most recent golang version updates, and as this is similar, assigning to you for 1.21.x. CC'ing Bruno for 1.20.x. CC:
(none) =>
bruno I can take this update for all versions, but I'd like to update mga8 with 1.21.x because it's needed to finally solve the docker stack on that version and close https://bugs.mageia.org/show_bug.cgi?id=31733 For that we need to update the build nodes still being running mga8 with that updated version of golang so I can build after that the remaining part of the docker stack for all versions of Mageia. Status:
NEW =>
ASSIGNED golang-1.21.5-1.mga9.src.rpm and golang-1.21.5-1.mga8.src.rpm on their way to be rebuilt for both distributions. Please validate both updates, as mga8 is needing it for build nodes, pending their updates. Assignee:
smelror =>
qa-bugs
Marja Van Waes
2023-12-15 16:45:57 CET
CVE:
(none) =>
CVE-2023-39326, CVE-2023-45283, CVE-2023-45285
Marja Van Waes
2023-12-15 16:52:02 CET
Whiteboard:
NGA8TOO =>
MGA8TOO The uploaded advisory can be seen here: https://svnweb.mageia.org/advisories/32622.adv?view=markup&pathrev=15402 What is the fastest way to find the included RPMs? They need to be listed for the QA testers Keywords:
(none) =>
advisory Sorry, missed that. Here is the list of what is built: RPMS/noarch/golang-docs-1.21.5-1.mga9.noarch.rpm RPMS/noarch/golang-misc-1.21.5-1.mga9.noarch.rpm RPMS/noarch/golang-src-1.21.5-1.mga9.noarch.rpm RPMS/noarch/golang-tests-1.21.5-1.mga9.noarch.rpm RPMS/x86_64/golang-1.21.5-1.mga9.x86_64.rpm RPMS/x86_64/golang-bin-1.21.5-1.mga9.x86_64.rpm RPMS/x86_64/golang-shared-1.21.5-1.mga9.x86_64.rpm Mageia9, x86_64
Clean update.
There are test files at /usr/lib/golang/src/cmd/compile/internal/test/ but no help document to go with them so we shall go with the usual test and try compiling docker.
$ mgarepo co docker
[...]
$ cd docker
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 43: %{shortcommit_moby}
warning: line 120: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
warning: line 122: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
In order to satisfy the 'golang(golang.org/x/text/encoding/htmlindex)' dependency, one of the following packages is needed:
1- golang-x-text-devel-0.3.7-3.mga9.noarch: Go text processing support (to install)
2- golang-golangorg-text-devel-0.3.3-2.mga9.noarch: Supplementary Go text libraries for golang.org/x/ imports (to install)
What is your choice? (1-2) 1
[...]
163MB of packages will be retrieved.
Proceed with the installation of the 355 packages? (Y/n)
<355 extra packages installed>
$ bm -l
[...]
line 120: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
line 122: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
succeeded!
That looks OK.
$ cd RPMS/x86_64/
$ ls
docker-24.0.5-5.mga9.x86_64.rpm
docker-devel-24.0.5-5.mga9.x86_64.rpm
docker-fish-completion-24.0.5-5.mga9.x86_64.rpm
docker-logrotate-24.0.5-5.mga9.x86_64.rpm
docker-nano-24.0.5-5.mga9.x86_64.rpm
docker-zsh-completion-24.0.5-5.mga9.x86_64.rpm
Slight advance on installed docker.
$ rpm -q docker
docker-24.0.5-4.mga9
That looks like a successful local build so go looks fine.CC:
(none) =>
tarazed25 Mageia8, x86_64 Waiting for the updates. For mga8 they are available it seems: http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/8/x86_64/media/core/updates_testing/ Mageia8, x86_64 golang-docs-1.21.5-1.mga8.noarch.rpm golang-misc-1.21.5-1.mga8.noarch.rpm golang-src-1.21.5-1.mga8.noarch.rpm golang-tests-1.21.5-1.mga8.noarch.rpm golang-1.21.5-1.mga8.x86_64.rpm golang-bin-1.21.5-1.mga8.x86_64.rpm golang-shared-1.21.5-1.mga8.x86_64.rpm The seven packages updated cleanly. $ mgarepo co docker $ sudo urpmi --buildrequires SPECS/docker.spec <49 RPMs pulled in> $ bm -ls <Set up the sources> $ bm -l <packages built> $ ls BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/ $ cd RPMS/x86_64 $ ls docker-24.0.5-5.mga8.x86_64.rpm docker-devel-24.0.5-5.mga8.x86_64.rpm docker-fish-completion-24.0.5-5.mga8.x86_64.rpm docker-logrotate-24.0.5-5.mga8.x86_64.rpm docker-nano-24.0.5-5.mga8.x86_64.rpm docker-zsh-completion-24.0.5-5.mga8.x86_64.rpm <compare> $ rpm -q docker docker-20.10.22-1.mga8 Passing this on. Whiteboard:
MGA8TOO MGA9-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0349.html Resolution:
(none) =>
FIXED |