A CVE has been assigned for an issue fixed in Golang 1.3.2: http://openwall.com/lists/oss-security/2014/09/26/28 Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => bruno, pterjanWhiteboard: (none) => MGA4TOO
Fixed in cauldron. Waiting for feedback for mga4
Status: NEW => ASSIGNED
golang-1.3.2-2.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
I submitted golang as well for mga4, by using the upstream patch mentioned upper, and adapting it to the directory structure.
Thanks Bruno! Advisory: ======================== Updated golang packages fix security vulnerability: Go 1.1 through 1.3.2 has an issue that affects programs that use crypto/tls to implement a TLS server. If the server enables TLS client authentication using certificates and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes (CVE-2014-7189). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7189 http://openwall.com/lists/oss-security/2014/09/26/28 ======================== Updated packages in core/updates_testing: ======================== golang-1.1.2-3.1.mga4 golang-vim-1.1.2-3.1.mga4 emacs-golang-1.1.2-3.1.mga4 xemacs-golang-1.1.2-3.1.mga4 from golang-1.1.2-3.1.mga4.src.rpm
Assignee: joequant => qa-bugs
Testing complete mga4 64 Just testing the package is functional. Testing with some examples from the golang tour and following the first part of a tutorial video.. http://tour.golang.org http://www.youtube.com/watch?v=XCsL89YtqCs Hello world example: $ cat hello.go package main import "fmt" func main() { fmt.Println("Hello, World!") } Web server example: $ cat webserver.go package main import ( "fmt" "net/http" ) type Hello struct{} func (h Hello) ServeHTTP( w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, "Hello!") } func main() { var h Hello http.ListenAndServe("localhost:4000", h) } Using these for testing.. $ mkdir gocode $ cd .. $ mkdir gocode $ export GOPATH=$HOME/gocode $ cd gocode $ mkdir -p src/examples $ cd src/examples $ mkdir hello $ cd hello $ go install $ ls ~/gocode/bin hello* $ ~/gocode/bin/hello Hello, World! $ cd .. $ mkdir webserver $ cd webserver $ go install $ ls ~/gocode/bin hello* webserver* $ ~/gocode/bin/webserver Open http://localhost:4000 in a browser.. Hello!
Whiteboard: (none) => has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0410.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/615623/