- ------------------------------------------------------------------------- Debian Security Advisory DSA-4551-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : golang-1.11 CVE ID : CVE-2019-17596 Daniel Mandragona discovered that invalid DSA public keys can cause a panic in dsa.Verify(), resulting in denial of service. For the stable distribution (buster), this problem has been fixed in version 1.11.6-1+deb10u3. We recommend that you upgrade your golang-1.11 packages. For the detailed security status of golang-1.11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-1.11 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org
Component: RPM Packages => SecurityQA Contact: (none) => security
Note: this alert is for golang-1.11; we have golang-1.12 . Is this valid? Assigning to joquant as registered maintainer for golang, in case it is. CC DavidW for security bug.
Source RPM: golang => golang-1.12.8-1.mga7.src.rpmAssignee: bugsquad => joequantCC: (none) => luigiwalser
Zombie, please provide a link to the advisory and don't copy and paste the text. Lewis, I am the security group, so I already get the e-mails. You don't need to CC me.
Advisory link from October 25: https://www.debian.org/security/2019/dsa-4551 The issue is fixed upstream in 1.12.11 and 1.13.2: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Whiteboard: (none) => MGA7TOOVersion: 7 => CauldronSummary: golang-1.11 security update (CVE-2019-17596) => golang new security issue CVE-2019-17596
Assignee: joequant => brunoCC: (none) => joequant
golang 1.13.2 pushed to cauldron
Status: NEW => ASSIGNED
upstream golang 1.12.11 pushed to mga7 updates_testing
Assignee: bruno => qa-bugs
Advisory: ======================== Updated golang packages fix security vulnerability: Daniel Mandragona discovered that invalid DSA public keys can cause a panic in dsa.Verify(), resulting in denial of service (CVE-2019-17596). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596 https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ https://www.debian.org/security/2019/dsa-4551 ======================== Updated packages in core/updates_testing: ======================== golang-1.12.11-1.mga7 golang-docs-1.12.11-1.mga7 golang-misc-1.12.11-1.mga7 golang-tests-1.12.11-1.mga7 golang-src-1.12.11-1.mga7 golang-bin-1.12.11-1.mga7 golang-shared-1.12.11-1.mga7 from golang-1.12.11-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)CC: (none) => brunoVersion: Cauldron => 7
Mageia7, x86_64 No proofs of concept found for the CVEs. Updated golang from version 1.12.8 to 1.12.11, seven packages. Ran exactly the same tests as in bug #25372 including the simple reverse string test. Building docker is recommended as a test of the compiler: <Thanks to David Walser for this procedure> $ magarepo co -d 7 docker $ cd docker $ ls SOURCES/ SPECS/ $ bm -ls creating package list processing package docker-%{moby_version}-%mkrel 1 building source package warning: Macro expanded in comment on line 40: %{shortcommit} Wrote: /data/qa/golang/docker/SRPMS/docker-18.09.8-1.mga7.src.rpm succeeded! $ ls BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/ $ sudo urpmi --buildrequires SPECS/docker.spec <Thanks Stig> In order to satisfy the 'go-md2man' dependency, one of the following packages is needed: 1- go-md2man-1.0.8-1.mga7.x86_64: Transform md into man pages (to install) 2- golang-github-cpuguy83-go-md2man-1.0.8-1.mga7.x86_64: Process markdown into manpages (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") go-md2man 1.0.8 1.mga7 x86_64 golang-net-devel 0.1.git84a4> 9.mga7 x86_64 lib64sqlite3-devel 3.28.0 1.mga7 x86_64 lib64xcrypt-static-devel 4.4.6 1.mga7 x86_64 (medium "Core Updates (distrib3)") glibc-static-devel 2.29 16.mga7 x86_64 lib64btrfs-devel 5.2.2 1.mga7 x86_64 lib64devmapper-devel 1.02.154 1.1.mga7 x86_64 76MB of additional disk space will be used. 32MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) [...] $ bm -l [...] Wrote: /data/qa/golang/docker/SRPMS/docker-18.09.8-1.mga7.src.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-devel-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-fish-completion-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-logrotate-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-unit-test-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-vim-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-zsh-completion-18.09.8-1.mga7.x86_64.rpm Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-nano-18.09.8-1.mga7.x86_64.rpm Executing(%clean): /bin/sh -e /data/qa/golang/docker/BUILDROOT/rpm-tmp.OULnLG + umask 022 + cd /data/qa/golang/docker/BUILD + cd docker-ce-18.09.8 + /usr/bin/rm -rf /data/qa/golang/docker/BUILDROOT/docker-18.09.8-1.mga7.x86_64 + exit 0 succeeded! OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Looks good enough to me, Len. Validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0310.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-16276 (fixed in 1.12.10): https://lists.opensuse.org/opensuse-updates/2019-11/msg00099.html