Assigning to Joseph as the listed golang maintainer.

Assignee: bugsquad => joequant

golang-1.11.13 uploaded to updates_testing

CC: (none) => bruno
Status: NEW => ASSIGNED
Assignee: joequant => bruno

(In reply to Bruno Cornec from comment #2)
> golang-1.11.13 uploaded to updates_testing

For Mageia 6 sorry

golang-1.12.8 uploaded to updates_testing for Mageia 7

golang-1.13 uploaded into cauldron as well.

Assignee: bruno => qa-bugs

Uploaded packages:
golang-1.11.5-1.mga6
golang-docs-1.11.5-1.mga6
golang-misc-1.11.5-1.mga6
golang-tests-1.11.5-1.mga6
golang-src-1.11.5-1.mga6
golang-bin-1.11.5-1.mga6
golang-shared-1.11.5-1.mga6
golang-1.12.8-1.mga7
golang-docs-1.12.8-1.mga7
golang-misc-1.12.8-1.mga7
golang-tests-1.12.8-1.mga7
golang-src-1.12.8-1.mga7
golang-bin-1.12.8-1.mga7
golang-shared-1.12.8-1.mga7

from SRPMS:
golang-1.11.5-1.mga6.src.rpm
golang-1.12.8-1.mga7.src.rpm


Were you able to verify that they fix CVE-2019-9512 and CVE-2019-9514?

1.12.8 is fixing these issues:
http://git.azurewebsites.net/docker/cli/pull/2044

For mageia 6 it should be 1.11.13 which fixes it, now that I have pushed it !
https://github.com/docker/docker-ce/commit/4a2e3c4a9bb84e88553b0cd7c3009c1cfeb513c4

MGA6-64 Plasma on Lenovo B50
No installation issues.
Tried to follow bug 24014 Comment 7 from Len, but apparently he's relying on his previous knowledge and available test files.
For the docker test I get "permission denied" (missing public key), I've never been in this area.
So all I have is a clean intall.

CC: (none) => herman.viaene

golang-1.11.13-1.mga6
golang-docs-1.11.13-1.mga6
golang-misc-1.11.13-1.mga6
golang-tests-1.11.13-1.mga6
golang-src-1.11.13-1.mga6
golang-bin-1.11.13-1.mga6
golang-shared-1.11.13-1.mga6

from golang-1.11.13-1.mga6.src.rpm

now for Mageia 6.  Advisory to come.

In reply to Herman, comment 8

Don't worry about this one Herman.  I have a couple of noddy programs to try out, and the docker build has worked in the past.  Shall see if I still have access to the repository.  Going for both architectures, but first the CVEs...

CC: (none) => tarazed25

mga6, x86_64

Nothing to say re the CVEs.
Clean update of all seven packages.

Performed local build of docker-18.06.3-1.2.
It took a little while bur succeeded in populating the RPMS and SRPMS directories.

Back later.

Follow on from comment 11.

Defined the GOPATH environment variable and used the preexisting go tree in user's home directory to test a simple Hello-World script which reversed the order of the characters in the output message.
Tested 'go clean', 'go run hello.go' and 'go build hello.go'.
The resulting hello executable is a normal 64-bit ELF file and can be run like so as well:
$ ./hello
Good morning QA
!AQ gninrom dooG

So, no problem with simple things either.  This can be sent on its way.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

mga7, x86_64

Updated the packages.
Set up an elementary go development tree and used run, build and clean options of the go command.  Compiled a "Hello World" which worked fine.

Checked out the mga7 docker package from svn.

$ bm -ls
That worked fine.
$ bm -l
Failed on some missing dependencies:
btrfs
cmake
glibc-static-devel
go-md2man
golang-net-devel
libltdl-devel
pkgconfig(devmapper)
pkgconfig(sqlite3)

Installed the first six but do not know how to install the pkconfig files.
I am guessing that they provide the devmapper.pc and sqlite.pc files.  On  an mga6 system here they can be found at 
/usr/lib64/pkconfig/{devicemapper.pc,sqlite3.pc}
This is packager country so can somebody please enlighten me?

Len,

to install the BuildRequires for a package, use this command

% sudo urpmi --buildrequires SPECS/<name>.spec

Cheers,
Stig

Ah.  Thanks Stig.  I saw you gave me that advice some time ago on a go bug.
Because I don't build packages routinely, such tips soon vanish from my memory.
Obviously a better way to go.  So thanks again.

Meanwhile I had managed by another route.
Installed device-mapper-devel and sqlite3-devel.  Let's see.

$ bm -l
[...]
+ /usr/bin/rm -rf /home/lcl/dev/docker/BUILDROOT/docker-18.09.8-1.mga7.x86_64
+ exit 0
succeeded!

go is fine for mga7 64bits.

Validating. Needs advisory.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory, added to svn:

type: security
subject: Updated golang packages fix security vulnerabilities
CVE:
 - CVE-2019-9512
 - CVE-2019-9514
 - CVE-2019-14809
src:
  6:
   core:
     - golang-1.11.13-1.mga6
  7:
   core:
     - golang-1.12.8-1.mga7
description: |
  Updated golang packages fix security vulnerabilities:

  Some HTTP/2 implementations are vulnerable to ping floods, potentially
  leading to a denial of service. The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume excess
  CPU, memory, or both (CVE-2019-9512)

  Some HTTP/2 implementations are vulnerable to a reset flood, potentially
  leading to a denial of service. The attacker opens a number of streams and
  sends an invalid request over each stream that should solicit a stream of
  RST_STREAM frames from the peer. Depending on how the peer queues the
  RST_STREAM frames, this can consume excess memory, CPU, or both
  (CVE-2019-9514).

  net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed
  hosts in URLs, leading to an authorization bypass in some applications.
  This is related to a Host field with a suffix appearing in neither
  Hostname() nor Port(), and is related to a non-numeric port number.
  (CVE-2019-14809)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25372
 - https://www.debian.org/security/2019/dsa-4503

Keywords: (none) => advisory
CC: (none) => tmb

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0251.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED