Debian has issued an advisory on August 18:
The last issue is fixed upstream in 1.11.13 and 1.12.8. Hopefully the first two are as well.
Mageia 6 is also affected.
Assigning to Joseph as the listed golang maintainer.
golang-1.11.13 uploaded to updates_testing
(In reply to Bruno Cornec from comment #2)
> golang-1.11.13 uploaded to updates_testing
For Mageia 6 sorry
golang-1.12.8 uploaded to updates_testing for Mageia 7
golang-1.13 uploaded into cauldron as well.
Were you able to verify that they fix CVE-2019-9512 and CVE-2019-9514?
1.12.8 is fixing these issues:
For mageia 6 it should be 1.11.13 which fixes it, now that I have pushed it !
MGA6-64 Plasma on Lenovo B50
No installation issues.
Tried to follow bug 24014 Comment 7 from Len, but apparently he's relying on his previous knowledge and available test files.
For the docker test I get "permission denied" (missing public key), I've never been in this area.
So all I have is a clean intall.
now for Mageia 6. Advisory to come.
In reply to Herman, comment 8
Don't worry about this one Herman. I have a couple of noddy programs to try out, and the docker build has worked in the past. Shall see if I still have access to the repository. Going for both architectures, but first the CVEs...
Nothing to say re the CVEs.
Clean update of all seven packages.
Performed local build of docker-18.06.3-1.2.
It took a little while bur succeeded in populating the RPMS and SRPMS directories.
Follow on from comment 11.
Defined the GOPATH environment variable and used the preexisting go tree in user's home directory to test a simple Hello-World script which reversed the order of the characters in the output message.
Tested 'go clean', 'go run hello.go' and 'go build hello.go'.
The resulting hello executable is a normal 64-bit ELF file and can be run like so as well:
Good morning QA
!AQ gninrom dooG
So, no problem with simple things either. This can be sent on its way.
Updated the packages.
Set up an elementary go development tree and used run, build and clean options of the go command. Compiled a "Hello World" which worked fine.
Checked out the mga7 docker package from svn.
$ bm -ls
That worked fine.
$ bm -l
Failed on some missing dependencies:
Installed the first six but do not know how to install the pkconfig files.
I am guessing that they provide the devmapper.pc and sqlite.pc files. On an mga6 system here they can be found at
This is packager country so can somebody please enlighten me?
to install the BuildRequires for a package, use this command
% sudo urpmi --buildrequires SPECS/<name>.spec
Ah. Thanks Stig. I saw you gave me that advice some time ago on a go bug.
Because I don't build packages routinely, such tips soon vanish from my memory.
Obviously a better way to go. So thanks again.
Meanwhile I had managed by another route.
Installed device-mapper-devel and sqlite3-devel. Let's see.
$ bm -l
+ /usr/bin/rm -rf /home/lcl/dev/docker/BUILDROOT/docker-18.09.8-1.mga7.x86_64
+ exit 0
go is fine for mga7 64bits.
MGA6TOO MGA6-64-OK =>
MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Needs advisory.
Advisory, added to svn:
subject: Updated golang packages fix security vulnerabilities
Updated golang packages fix security vulnerabilities:
Some HTTP/2 implementations are vulnerable to ping floods, potentially
leading to a denial of service. The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both (CVE-2019-9512)
Some HTTP/2 implementations are vulnerable to a reset flood, potentially
leading to a denial of service. The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed
hosts in URLs, leading to an authorization bypass in some applications.
This is related to a Host field with a suffix appearing in neither
Hostname() nor Port(), and is related to a non-numeric port number.
An update for this issue has been pushed to the Mageia Updates repository.