Debian has issued an advisory on August 18: https://www.debian.org/security/2019/dsa-4503 The last issue is fixed upstream in 1.11.13 and 1.12.8. Hopefully the first two are as well. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to Joseph as the listed golang maintainer.
Assignee: bugsquad => joequant
CC: (none) => bruno.cornec, smelror
golang-1.11.13 uploaded to updates_testing
CC: (none) => brunoStatus: NEW => ASSIGNEDAssignee: joequant => bruno
(In reply to Bruno Cornec from comment #2) > golang-1.11.13 uploaded to updates_testing For Mageia 6 sorry
golang-1.12.8 uploaded to updates_testing for Mageia 7
golang-1.13 uploaded into cauldron as well.
Assignee: bruno => qa-bugs
Uploaded packages: golang-1.11.5-1.mga6 golang-docs-1.11.5-1.mga6 golang-misc-1.11.5-1.mga6 golang-tests-1.11.5-1.mga6 golang-src-1.11.5-1.mga6 golang-bin-1.11.5-1.mga6 golang-shared-1.11.5-1.mga6 golang-1.12.8-1.mga7 golang-docs-1.12.8-1.mga7 golang-misc-1.12.8-1.mga7 golang-tests-1.12.8-1.mga7 golang-src-1.12.8-1.mga7 golang-bin-1.12.8-1.mga7 golang-shared-1.12.8-1.mga7 from SRPMS: golang-1.11.5-1.mga6.src.rpm golang-1.12.8-1.mga7.src.rpm Were you able to verify that they fix CVE-2019-9512 and CVE-2019-9514?
1.12.8 is fixing these issues: http://git.azurewebsites.net/docker/cli/pull/2044 For mageia 6 it should be 1.11.13 which fixes it, now that I have pushed it ! https://github.com/docker/docker-ce/commit/4a2e3c4a9bb84e88553b0cd7c3009c1cfeb513c4
MGA6-64 Plasma on Lenovo B50 No installation issues. Tried to follow bug 24014 Comment 7 from Len, but apparently he's relying on his previous knowledge and available test files. For the docker test I get "permission denied" (missing public key), I've never been in this area. So all I have is a clean intall.
CC: (none) => herman.viaene
golang-1.11.13-1.mga6 golang-docs-1.11.13-1.mga6 golang-misc-1.11.13-1.mga6 golang-tests-1.11.13-1.mga6 golang-src-1.11.13-1.mga6 golang-bin-1.11.13-1.mga6 golang-shared-1.11.13-1.mga6 from golang-1.11.13-1.mga6.src.rpm now for Mageia 6. Advisory to come.
In reply to Herman, comment 8 Don't worry about this one Herman. I have a couple of noddy programs to try out, and the docker build has worked in the past. Shall see if I still have access to the repository. Going for both architectures, but first the CVEs...
CC: (none) => tarazed25
mga6, x86_64 Nothing to say re the CVEs. Clean update of all seven packages. Performed local build of docker-18.06.3-1.2. It took a little while bur succeeded in populating the RPMS and SRPMS directories. Back later.
Follow on from comment 11. Defined the GOPATH environment variable and used the preexisting go tree in user's home directory to test a simple Hello-World script which reversed the order of the characters in the output message. Tested 'go clean', 'go run hello.go' and 'go build hello.go'. The resulting hello executable is a normal 64-bit ELF file and can be run like so as well: $ ./hello Good morning QA !AQ gninrom dooG So, no problem with simple things either. This can be sent on its way.
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
mga7, x86_64 Updated the packages. Set up an elementary go development tree and used run, build and clean options of the go command. Compiled a "Hello World" which worked fine. Checked out the mga7 docker package from svn. $ bm -ls That worked fine. $ bm -l Failed on some missing dependencies: btrfs cmake glibc-static-devel go-md2man golang-net-devel libltdl-devel pkgconfig(devmapper) pkgconfig(sqlite3) Installed the first six but do not know how to install the pkconfig files. I am guessing that they provide the devmapper.pc and sqlite.pc files. On an mga6 system here they can be found at /usr/lib64/pkconfig/{devicemapper.pc,sqlite3.pc} This is packager country so can somebody please enlighten me?
Keywords: (none) => feedback
Len, to install the BuildRequires for a package, use this command % sudo urpmi --buildrequires SPECS/<name>.spec Cheers, Stig
Ah. Thanks Stig. I saw you gave me that advice some time ago on a go bug. Because I don't build packages routinely, such tips soon vanish from my memory. Obviously a better way to go. So thanks again. Meanwhile I had managed by another route. Installed device-mapper-devel and sqlite3-devel. Let's see. $ bm -l [...] + /usr/bin/rm -rf /home/lcl/dev/docker/BUILDROOT/docker-18.09.8-1.mga7.x86_64 + exit 0 succeeded! go is fine for mga7 64bits.
Keywords: feedback => (none)Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Needs advisory.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory, added to svn: type: security subject: Updated golang packages fix security vulnerabilities CVE: - CVE-2019-9512 - CVE-2019-9514 - CVE-2019-14809 src: 6: core: - golang-1.11.13-1.mga6 7: core: - golang-1.12.8-1.mga7 description: | Updated golang packages fix security vulnerabilities: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both (CVE-2019-9512) Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both (CVE-2019-9514). net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. (CVE-2019-14809) references: - https://bugs.mageia.org/show_bug.cgi?id=25372 - https://www.debian.org/security/2019/dsa-4503
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0251.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED