18482 – golang new security issue CVE-2016-3959

Bug 18482 - golang new security issue CVE-2016-3959

Summary: golang new security issue CVE-2016-3959

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/685138/
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-05-18 18:32 CEST by David Walser
Modified:	2016-05-24 00:01 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	golang-1.4.3-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-05-18 18:32:04 CEST

OpenSuSE has issued an advisory today (May 18):
https://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html

The CVE-2015-8618 issue they also fixed only affects 1.5+.

They apparently believe that CVE-2016-3959 affects 1.4.x though, hence this update.

The issue is fixed in version 1.5.4 and 1.6.1.

Comment 1 Bruno Cornec 2016-05-22 02:05:22 CEST

Hello,

I've backported the golang 1.6.2 that we have in cauldron for mga6.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Assignee: bruno => qa-bugs

Comment 2 David Walser 2016-05-22 02:15:15 CEST

Can't close it until it's tested and pushed.

I guess the best test case for this would be to use the updated golang to build the docker package.  Would you agree Bruno?

Status: RESOLVED => REOPENED
CC: (none) => bruno
Resolution: FIXED => (none)

Comment 3 Bruno Cornec 2016-05-22 02:41:05 CEST

Yep. Let me do that. I was indeed looking at the docker BR as well ;-)

Will let you know when it's done.

Comment 4 Bruno Cornec 2016-05-23 02:05:51 CEST

I've rebuild bother docker 1.9.1 for mga5 and docker 1.11.1 on mga5 with tha version without issue, so at least it seems to work for that requirement.

Comment 5 David Walser 2016-05-23 02:23:15 CEST

Successfully used to build the docker update, marking as OK.

Advisory in SVN updated.

type: security
subject: Updated golang package fixes CVE-2016-3959
CVE:
 - CVE-2016-3959
src:
  5:
   core:
     - golang-1.6.2-7.mga5
description: |
  Updated golang packages fix security vulnerability:

  Go has an infinite loop in several big integer routines that makes
  Go programs vulnerable to remote denial of service attacks. Programs
  using HTTPS client authentication or the Go ssh server libraries are
  both exposed to this vulnerability (CVE-2016-3959).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=18482
 - https://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html

Updated packages:
================
golang-1.6.2-7.mga5
golang-docs-1.6.2-7.mga5
golang-misc-1.6.2-7.mga5
golang-tests-1.6.2-7.mga5
golang-src-1.6.2-7.mga5
golang-bin-1.6.2-7.mga5
golang-shared-1.6.2-7.mga5

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK advisory

Comment 6 claire robinson 2016-05-23 21:51:31 CEST

Good work, thanks. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-05-24 00:01:42 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0207.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.