RedHat has issued an advisory today (September 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/ The issue is fixed upstream in 1.15.1. Mageia 7 may also be affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks reporting this. Assigning to registered package maintainer. (Packager: please change status to "Assigned" when you are working on this).
Assignee: bugsquad => joequantCC: (none) => joequant
CC: (none) => bruno
Fixed in 1.15.2 cauldron. Need to fix in mageia7
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
openSUSE has issued an advisory for this on October 2: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html
Source RPM: golang-1.15-1.mga8.src.rpm => golang-1.13.15-1.mga7.src.rpm
golang-1.13.15-2.mga7 is building with a backported patch
CC: (none) => pterjan
Advisory: ======================== Updated golang package fixes security vulnerability: A flaw was found in Go standard library packages. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". An attacker could exploit this in applications using these packages by uploading crafted files, allowing for a cross-site scripting attack (XSS) (CVE-2020-24553). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/ ======================== Updated packages in core/updates_testing: ======================== golang-1.13.15-2.mga7 golang-docs-1.13.15-2.mga7 golang-misc-1.13.15-2.mga7 golang-tests-1.13.15-2.mga7 golang-src-1.13.15-2.mga7 golang-bin-1.13.15-2.mga7 golang-shared-1.13.15-2.mga7 from golang-1.13.15-2.mga7.src.rpm
Assignee: joequant => qa-bugs
CVE-2020-24553 https://seclists.org/fulldisclosure/2020/Sep/5 Made an attempt to run the PoC before updating golang on mga7-x64. Had to jump through some hoops and replace apache with nginx. Wrote the local nginx.conf file and the sample go script. $ sudo nginx -c ~/qa/go/nginx.conf127.0.0.1 - - [03/Nov/2020:00:51:19 +0000] "GET / HTTP/1.1" 502 157 "-" "curl/7.71.0" 127.0.0.1 - - [03/Nov/2020:00:56:24 +0000] "GET / HTTP/1.1" 200 334 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 127.0.0.1 - - [03/Nov/2020:00:56:24 +0000] "GET /favicon.ico HTTP/1.1" 499 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" In another terminal: $ go mod init sample.gogo: creating new go.mod: module sample.go $ go run . Had a look at localhost:8000/ in the browser and saw some binary code for a PNG file with some flashing lines across the screen and a message box containing "RedTeam Pentesting" and an OK button which cleared it off the screen. That much is expected. $ curl -i -o - http://localhost:8000 HTTP/1.1 200 OK Server: nginx/1.16.1 Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Date: Tue, 03 Nov 2020 01:19:18 GMT �PNG � IHDR7n�$gAMA�� �a cHRMz&�����u0�`:�p��Q<bKGD݊�tIME;%� IDA�c`�!�34tEXtcomment<script>alert("RedTeam Pentesting")</script>Z�%tEXtdate:create2020-08-07T14:04:59+02:00��+�%tEXtdate:modify2020-08-07T14:04:59+02:00���IEN $ curl -i -o - http://localhost:8001 curl: (56) Recv failure: Connection reset by peer Not entirely sure what is going on here - maybe the update will clarify things. Returning to this later.
CC: (none) => tarazed25
With reference to comment 6 - sorry about the apparent typos - having trouble with my keyboard failing to respond repeatedly. Batteries have been checked.
May I ask a silly question? Has the golang update definitely been pushed to updates_testing? No sign of it yet after 24 hours. Tried a couple of mirrors.
It's on princeton ... https://mirror.math.princeton.edu/pub/mageia/distrib/7.1/x86_64/media/core/updates_testing/golang-1.13.15-2.mga7.x86_64.rpm along with the other golang rpm packages.
CC: (none) => davidwhodgins
Thanks Dave - switching now.
However, there was a problem. Using drakconf to switch to Princeton brought up distrib/mga7/ media and as with belnet and cz.muni there are no golang updates. There now seem to be mga7 and mga7.1 distributions on the mirrors and no testing updates go to mga7. This is something new. Tried editing /etc/mageia-release and indeed it was the mga7.1 hdlists which were accessed when the media were reinstalled. But. Enabling testing and running 'urpmi.update -a' and then MageiaUpdate still resulted in failure to find the golang packages. Visited one of the European sites and confirmed that the testing updates were available in the mga7.1 branch and could be downloaded to a local directory and installed from there but that is a clumsy way to work. Too late to do any testing now but hope somebody can explain what is going on in updates.
Getting stranger. The mga7 branch *does* have the testing updates but the golang packages are still invisible to MageiaUpdate.
Beginning to wonder if this has something to do with certificates because downloading with wget requires the flag --no-check-certificate.
Confirmed there is a problem with the core updates testing hdlist file. # urpmq -i golang|grep ^Source|sort -uV Source RPM : golang-1.12.5-1.mga7.src.rpm Source RPM : golang-1.12.8-1.mga7.src.rpm Source RPM : golang-1.12.11-1.mga7.src.rpm Source RPM : golang-1.12.17-1.mga7.src.rpm Source RPM : golang-1.13.15-1.mga7.src.rpm # urpmq --list-url|grep ^'Core Updates Testing' Core Updates Testing (distrib5) http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/core/updates_testing https://mirror.math.princeton.edu/pub/mageia/distrib/7.1/x86_64/media/core/updates_testing/golang-1.13.15-2.mga7.x86_64.rpm Adding sysadmin to cc list and feedback keyword
CC: (none) => sysadmin-bugsKeywords: (none) => feedback
CC: (none) => ouaurelienAssignee: qa-bugs => pterjan
I don't see a problem $ urpmf --sourcerpm --synthesis 7/x86_64/media/core/updates_testing/media_info/synthesis.hdlist.cz golang: golang-bin:golang-1.13.15-2.mga7.src.rpm $ urpmf --sourcerpm --synthesis 7/x86_64/media/core/updates/media_info/synthesis.hdlist.cz golang: golang-bin:golang-1.12.8-1.mga7.src.rpm golang-bin:golang-1.12.11-1.mga7.src.rpm golang-bin:golang-1.12.17-1.mga7.src.rpm golang-bin:golang-1.13.15-1.mga7.src.rpm $ urpmf --sourcerpm --use-distrib http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/ --media Testing golang: http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/core/updates_testing/media_info/20201113-143929-info.xml.lzma golang:golang-1.13.15-2.mga7.src.rpm http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/core/updates_testing/media_info/20201113-143918-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/core/backports_testing/media_info/20201027-205241-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/core/backports_testing/media_info/20201027-205243-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/nonfree/updates_testing/media_info/20201112-084706-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/nonfree/updates_testing/media_info/20201029-215201-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/nonfree/backports_testing/media_info/20200825-090834-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/nonfree/backports_testing/media_info/20200825-090834-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/tainted/updates_testing/media_info/20201020-162014-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/tainted/updates_testing/media_info/20201020-162014-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/tainted/backports_testing/media_info/20190628-001413-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/x86_64/media/debug/tainted/backports_testing/media_info/20190628-001413-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/core/updates_testing/media_info/20201113-143914-info.xml.lzma golang:golang-1.13.15-2.mga7.src.rpm http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/core/backports_testing/media_info/20201027-205234-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/nonfree/updates_testing/media_info/20201112-084708-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/nonfree/backports_testing/media_info/20200825-090833-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/tainted/updates_testing/media_info/20201020-162013-info.xml.lzma http://mirror.math.princeton.edu/pub/mageia/distrib/7/i586/media/tainted/backports_testing/media_info/20190628-001412-info.xml.lzma
OK, back in QA.
Assignee: pterjan => qa-bugsKeywords: feedback => (none)
Back to golang - updates installed fine this time. ?? Hurrying this along. Usual test is to build docker. $ mgarepo co -d 7 docker $ cd docker <pull sources> $ bm -ls <check for missing package dependencies> $ sudo urpmi --buildrequires SPECS/docker.spec <That installed the man markdown packages - I think> $ bm -l ..... + /usr/bin/rm -rf /home/lcl/docker/docker/BUILDROOT/docker-18.09.9-1.2.mga7.x86_64 + exit 0 succeeded! Ready for use.
Whiteboard: (none) => MGA7-64-OK
Validating, Packages and Advisory in Comment 5. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0424.html
Status: NEW => RESOLVEDResolution: (none) => FIXED