Fedora has issued an advisory on February 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4TOPVSIULS5EMGKZ6OHC6LNDR7QA7W3/ The issue is fixed upstream in 1.9.4. Mageia 6 is also affected.
CC: (none) => smelrorWhiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.9.4
Updated packages uploaded by Bruno. Advisory: ======================== Updated golang packages fix security vulnerabilities: Go before 1.9.4 allows "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked (CVE-2018-6574). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6574 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4TOPVSIULS5EMGKZ6OHC6LNDR7QA7W3/ ======================== Updated packages in core/updates_testing: ======================== golang-1.9.4-3.mga6 golang-docs-1.9.4-3.mga6 golang-misc-1.9.4-3.mga6 golang-tests-1.9.4-3.mga6 golang-src-1.9.4-3.mga6 golang-bin-1.9.4-3.mga6 golang-shared-1.9.4-3.mga6 from golang-1.9.4-3.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => brunoAssignee: bruno => qa-bugs
As usual, you can build the docker package to test this.
Keywords: (none) => has_procedure
This is becoming a regular customer. Testing this on Mageia 6 :: x86_64 and referring back to bugs #21103 and #21857. Not attempting to follow up the security problem but going straight for the update. [lcl@vega golang]$ mgarepo co -d 6 docker $ bm -ls creating package list processing package docker-%{dist_version}-%mkrel 4 building source package Wrote: /home/lcl/qa/golang/docker/SRPMS/docker-17.03.1-4.mga6.src.rpm succeeded! $ bm -l creating package list processing package docker-%{dist_version}-%mkrel 4 building source and binary packages error: Failed build dependencies: btrfs-devel is needed by docker-17.03.1-4.mga6.x86_64 device-mapper-devel is needed by docker-17.03.1-4.mga6.x86_64 go-md2man is needed by docker-17.03.1-4.mga6.x86_64 golang-net-devel is needed by docker-17.03.1-4.mga6.x86_64 libsqlite3-devel is needed by docker-17.03.1-4.mga6.x86_64 error: failed! Installed missing docker dependencies including: $MIRRORLIST: media/core/release/go-md2man-1.0.2-4.mga6.x86_64.rpm $MIRRORLIST: media/core/release/golang-net-devel-0.1.git84a4013f96e0-8.mga6.x86_64.rpm $ bm -l ........................ + /usr/bin/rm -rf /home/lcl/qa/golang/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64 + exit 0 succeeded! Are those versions of go-md2man and golang-net-devel likely to be a problem? Shall run the mickey-mouse program after tea.
CC: (none) => tarazed25
Testing go compilation on a HelloWorld program using the recommended file structure for user files. $ cat hello.go package main import "fmt" import "stringutil" func main() { fmt.Printf("Good morning QA\n") fmt.Printf(stringutil.Reverse("\nGood morning QA!")) } $ export GOPATH=/home/$USER/go/ $ cd $ cd $GOPATH/src/ $ go run hello.go Good morning QA !AQ gninrom dooG $ go build hello.go $ mv hello ../bin/ $ ../bin/hello Good morning QA !AQ gninrom dooG $ tree . ├── bin │ └── hello └── src ├── hello_1.go ├── hello.go └── stringutil └── reverse.go Good for X86_64. Not sure if docker can be built for 32-bit systems but it may be important to test golang on i586. This simple program could be used. Comments?
Whiteboard: (none) => MGA6-64-OK
(In reply to Len Lawrence from comment #4) > Not sure if docker can be built for 32-bit systems but it may be important > to test golang on i586. This simple program could be used. Comments? One arch testing is ok for golang, as it's not critical like kernels etc. For docker, like other virtual machine systems, only x86_64 should be tested.
CC: (none) => davidwhodgins
Thanks Dave. Validating this.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0144.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED