openSUSE has issued an advisory on July 27: https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html The issue is fixed upstream in 1.14.5: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ Mageia 7 is also affected: https://github.com/golang/go/issues/34902
Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on July 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/ They upgraded to 1.14.6.
Assigning to Joseph who is the main maintainer; CC'ing Stig as having done recent updates.
CC: (none) => smelrorAssignee: bugsquad => joequant
CC: (none) => bruno
Cauldron has already been updated to 1.14.6. Do you think updating 1.13.14 on MGA7 is sufficient? See https://github.com/golang/go/issues/40211 Cheers, Stig
Source RPM: golang-1.14.4-2.mga8.src.rpm, golang-1.12.17-1.mga7.src.rpm => golang-1.12.17-1.mga7.src.rpmWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
As long as we can still build docker with it, I think that's fine.
openSUSE has issued an advisory today (August 12): https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html The issue is fixed upstream in 1.13.15 and 1.14.7.
Summary: golang new security issue CVE-2020-15586 => golang new security issues CVE-2020-15586 and CVE-2020-16845
Go has been updated to 1.15 on Cauldron.
Advisory: ======================== Updated golang packages fix security vulnerabilities: Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected (CVE-2020-15586). Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs (CVE-2020-16845). The golang package has been updated to version 1.13.15, fixing these issues and containing several other bug fixes and enhancements. See the 1.13 release notes and other references for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845 https://golang.org/doc/go1.13 https://golang.org/doc/devel/release.html#go1.13.minor https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-announce/NyPIaucMgXo https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html ======================== Updated packages in core/updates_testing: ======================== golang-1.13.15-1.mga7 golang-docs-1.13.15-1.mga7 golang-misc-1.13.15-1.mga7 golang-tests-1.13.15-1.mga7 golang-src-1.13.15-1.mga7 golang-bin-1.13.15-1.mga7 golang-shared-1.13.15-1.mga7 from golang-1.13.15-1.mga7.src.rpm
Assignee: joequant => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Copied suffixarray folder from testdata into my home and tried to the "go build" on these, but got either no feedback at all (and no new file generated) or missing items. Giving up.
CC: (none) => herman.viaene
We usually test this by building the docker package.
OK Herman and David, about to try that.
CC: (none) => tarazed25
mga7, x86_64 $ mgarepo co -d 7 docker Using the svn mirror. HTTP request sent, awaiting response... 200 OK Length: 15299640 (15M) [application/x-tar] Saving to: ‘docker/SOURCES/v18.09.9.tar.gz’ docker/SOURCES/v18. 100%[===================>] 14.59M 3.31MB/s in 4.4s 2020-08-14 19:27:31 (3.31 MB/s) - ‘docker/SOURCES/v18.09.9.tar.gz’ saved [15299640/15299640] $ cd docker $ bm -ls creating package list processing package docker-%{moby_version}-%mkrel 1 building source package warning: Macro expanded in comment on line 40: %{shortcommit} Wrote: /home/lcl/qa/golang/docker/SRPMS/docker-18.09.9-1.1.mga7.src.rpm succeeded! $ sudo urpmi --buildrequires SPECS/docker.spec warning: Macro expanded in comment on line 40: %{shortcommit} In order to satisfy the 'go-md2man' dependency, one of the following packages is needed: 1- go-md2man-1.0.8-1.mga7.x86_64: Transform md into man pages (to install) 2- golang-github-cpuguy83-go-md2man-1.0.8-1.mga7.x86_64: Process markdown into manpages (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") go-md2man 1.0.8 1.mga7 x86_64 golang-net-devel 0.1.git84a4> 9.mga7 x86_64 lib64ltdl-devel 2.4.6 9.mga7 x86_64 (medium "Core Updates") lib64devmapper-devel 1.02.154 1.1.mga7 x86_64 (medium "Core Updates Testing") btrfs-progs 5.7 1.mga7 x86_64 lib64btrfs-devel 5.7 1.mga7 x86_64 lib64btrfs0 5.7 1.mga7 x86_64 4.1MB of additional disk space will be used. 1.9MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) Y ...... $ bm -l creating package list processing package docker-%{moby_version}-%mkrel 1 building source and binary packages warning: Macro expanded in comment on line 40: %{shortcommit} Executing(%prep): /bin/sh -e /home/lcl/qa/golang/docker/BUILDROOT/rpm-tmp.j6sAeg + umask 022 + cd /home/lcl/qa/golang/docker/BUILD ...... + umask 022 + cd /home/lcl/qa/golang/docker/BUILD + cd docker-ce-18.09.9 + /usr/bin/rm -rf /home/lcl/qa/golang/docker/BUILDROOT/docker-18.09.9-1.1.mga7.x86_64 + exit 0 succeeded! $ cd ../RPMS/x86_64 $ ls * | grep 09.9 docker-18.09.9-1.1.mga7.x86_64.rpm docker-devel-18.09.9-1.1.mga7.x86_64.rpm docker-fish-completion-18.09.9-1.1.mga7.x86_64.rpm docker-logrotate-18.09.9-1.1.mga7.x86_64.rpm docker-nano-18.09.9-1.1.mga7.x86_64.rpm docker-unit-test-18.09.9-1.1.mga7.x86_64.rpm docker-vim-18.09.9-1.1.mga7.x86_64.rpm docker-zsh-completion-18.09.9-1.1.mga7.x86_64.rpm Checked against the already installed docker: $ rpm -q docker docker-18.09.9-1.1.mga7 Skipping the HelloWorld stage - this looks OK.
Whiteboard: (none) => MGA7-64-OK
Had a look at suffixarray but could not figure out how to run the example_test. A simple hello.go runs and builds fine. $ export GOHOME=/home/lcl/go/ Sources in ~/go/src Used a local QA directory for testing. $ cd ~/qa/golang $ go run hello.go Good morning QA !AQ gninrom dooG $ go build hello.go $ ./hello Good morning QA !AQ gninrom dooG $ cd ~/go/src $ ls example_test.go hello.go sais.go suffixarray.go gen.go sais2.go stringutil/ suffixarray_test.go gen.go is the only other file with a main function and looks like it regenerates sais.go but in fact does not work from the test directory - it has to be run in the src directory. $ grep -H "func main()" * gen.go:func main() { hello.go:func main() { $ cd ~/qa/golang $ go build gen.go can't load package: package gen.go: cannot find package "gen.go" in any of: /usr/lib/golang/src/gen.go (from $GOROOT) /home/lcl/go/src/gen.go (from $GOPATH) $ cd $GOPATH/src $ go build gen.go $ ll -rwxr-xr-x 1 lcl lcl 2252965 Aug 15 01:31 gen* -rw-r--r-- 1 lcl lcl 1932 Aug 15 00:12 gen.go -rw-r--r-- 1 lcl lcl 53710 Aug 15 01:32 sais2.go -rw-r--r-- 1 lcl lcl 33261 Aug 15 00:12 sais.go Taking this no further - there is obviously a lot more to know about file disposition in golang.
s/GOHOME/GOPATH/
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory and package list in Comment 7.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0325.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED