Upstream has announced version 1.11.3 on December 14, fixing security issues: https://www.openwall.com/lists/oss-security/2018/12/14/9 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => joequantCC: (none) => marja11
Assignee: joequant => brunoCC: (none) => joequant
openSUSE has issued an advisory for this on December 19: https://lists.opensuse.org/opensuse-updates/2018-12/msg00094.html
golang-1.11.4-1.mga7 uploaded for Cauldron by Stig-Ørjan.
Version: Cauldron => 6CC: (none) => smelrorWhiteboard: MGA6TOO => (none)
Debian has issued an advisory on February 1: https://www.debian.org/security/2019/dsa-4380 It fixes one new serious issue, fixed upstream in 1.11.5 (already in Cauldron) and 1.10.8.
Summary: golang new security issues CVE-2018-1687[3-5] => golang new security issues CVE-2018-1687[3-5] and CVE-2019-6486Severity: normal => critical
1.11.5-1 pushed to updates_testing formga6 and 1.11.5-2 bumped for mga7.
Status: NEW => ASSIGNEDAssignee: bruno => qa-bugs
- golang-1.11.5-1.mga6.x86_64 - golang-bin-1.11.5-1.mga6.x86_64 - golang-docs-1.11.5-1.mga6.noarch - golang-misc-1.11.5-1.mga6.noarch - golang-shared-1.11.5-1.mga6.x86_64 - golang-src-1.11.5-1.mga6.noarch These were in updates-testing so they have been installed. Is it OK to go ahead and test?
CC: (none) => tarazed25
Swurff!! Wrong bug. Trying again. mga6, x86_64 Checked the CVEs and other links; nothing for QA to do. Set up go directory tree for user at ~/go and defined GOPATH. $ export GOPATH=/home/$USER/go/ $ tree go go ├── bin └── src ├── hello_1.go ├── hello.go └── stringutil └── reverse.go Compiled hello.go and tested it. Checked out docker revision 1363318 from mga6 repository. Updated golang from updates-testing. - golang-1.11.5-1.mga6.x86_64 - golang-bin-1.11.5-1.mga6.x86_64 - golang-docs-1.11.5-1.mga6.noarch - golang-misc-1.11.5-1.mga6.noarch - golang-shared-1.11.5-1.mga6.x86_64 - golang-src-1.11.5-1.mga6.noarch From go src directory: $ go run hello.go Good morning QA !AQ gninrom dooG $ go build hello.go $ ls hello* hello.go stringutil/ $ ./hello Good morning QA !AQ gninrom dooG Basic compilation and running is fine. Building docker has generally been recommended as a test of golang. $ mgarepo co -d 6 docker Using the svn mirror. [...] Checked out revision 1363406. [...] 2019-02-05 15:19:21 (618 KB/s) - ‘docker/SOURCES/tini-fec3683.tar.gz’ saved [32156/32156] $ cd docker $ bm -ls creating package list processing package docker-%{dist_version}-%mkrel 1 building source package Wrote: /home/lcl/dev/docker/docker/SRPMS/docker-18.06.1-1.2.mga6.src.rpm succeeded! $ ls BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/ $ bm -l creating package list processing package docker-%{dist_version}-%mkrel 1 building source and binary packages error: Failed build dependencies: btrfs-devel is needed by docker-18.06.1-1.2.mga6.x86_64 glibc-static-devel is needed by docker-18.06.1-1.2.mga6.x86_64 go-md2man is needed by docker-18.06.1-1.2.mga6.x86_64 golang-net-devel is needed by docker-18.06.1-1.2.mga6.x86_64 pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64 error: failed! Installed the dependencies but did not know how to interpret the last one pkgconfig(devmapper). pkgconfig is already installed. $ bm -l creating package list processing package docker-%{dist_version}-%mkrel 1 building source and binary packages error: Failed build dependencies: pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64 error: failed! There are dozens of files with devmapper in their names, often with the .go filetype as well, so what exactly is missing?
On the other hand it could be the result of jumping the gun.
(In reply to Len Lawrence from comment #7) > Installed the dependencies but did not know how to interpret the last one > pkgconfig(devmapper). pkgconfig is already installed. Just do urpmi "pkgconfig(devmapper)" It's an automatically generated Provides for some devel package because it provides a devmapper.pc pkgconfig file. Or better yet, use "bm -ls" to create an SRPM and then run urpmi on that SRPM and it'll install all of the build deps. Plus if you install them that way, you can usually remove them easily when you're done with urpme --auto-orphans.
(In reply to Bruno Cornec from comment #5) > 1.11.5-1 pushed to updates_testing formga6 and 1.11.5-2 bumped for mga7. Thanks Bruno. Just a couple reminders. The rebuild for mga7 was unnecessary. 1.11.5-1.mga7 is still > 1.11.5-1.mga6. Also, please leave yourself CC'd for bugs when you assign to QA.
CC: (none) => bruno
Advisory: ======================== Updated golang packages fix security vulnerabilities: Remote code execution in go get, when executed with the -u flag (CVE-2018-16873). An arbitrary filesystem write in go get, which could lead to code execution (CVE-2018-16874). Denial of Service in the crypto/x509 package during certificate chain validation (CVE-2018-16875). Go before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks (CVE-2019-6486). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16874 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16875 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486 https://lists.opensuse.org/opensuse-updates/2018-12/msg00094.html https://www.debian.org/security/2019/dsa-4380 ======================== Updated packages in core/updates_testing: ======================== golang-1.11.5-1.mga6 golang-docs-1.11.5-1.mga6 golang-misc-1.11.5-1.mga6 golang-tests-1.11.5-1.mga6 golang-src-1.11.5-1.mga6 golang-bin-1.11.5-1.mga6 golang-shared-1.11.5-1.mga6 from golang-1.11.5-1.mga6.src.rpm
Added golang-tests. @David - comment 9. Thanks for the tips. The first one worked like a charm but the second is worth remembering for future local builds. From docker build directory: $ bm -l [...] + exit 0 succeeded! golang looks fine but golang-tests needs investigation.
Re golang-tests. Extract from $ urpmq -i golang-tests Summary : Golang compiler tests for stdlib Nothing useful under /usr/share/doc/golang. locate returns lists of go sanitizers and go code snippets. There is a section labelled /usr/lib/golang/misc/cgo/testso/ which might be relevant, both C and go code. Not really QA territory so lets send this one on.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0066.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED