Debian-LTS has issued an advisory today (December 9): https://www.debian.org/lts/security/2020/dla-2485 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
First things first: golang-x-net is good for M8, -> Guillaume golang-googlecode-net is M7 only, no evident maintainer (listed JoeQuant, do not think he is active now). Start with Guillaume; if you want somebody else to do the 2nd one, please re-assign it.
Assignee: bugsquad => guillomovitch
Assignee: guillomovitch => bugsquad
Originally imported by Pascal, rename to golang-x-net handled by Guillaume. Guillaume, can't you handle this one for Cauldron?
CC: (none) => guillomovitch, pterjan
I failed to find out what is in the Debian update The only upstream reference to those CVEs is https://github.com/golang/net/commit/74dc4d7220e7acc4e100824340f3e66577424772 which was committed on Aug 13, 2019 so would not affect the version in Cauldron
golang-googlecode-net with the patch submitted to Mageia 7.
Summary: golang-x-net / golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514 => golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514
Whiteboard: MGA7TOO => (none)Source RPM: golang-x-net-0-0.6.mga8.src.rpm, golang-googlecode-net-0-0.2.mga7.src.rpm => golang-googlecode-net-0-0.2.mga7.src.rpmVersion: Cauldron => 7
CC: guillomovitch => (none)Assignee: bugsquad => qa-bugs
Advisory: ======================== Updated golang-googlecode-net package fixes security vulnerabilities: This code was vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both (CVE-2019-9512). This code was vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both (CVE-2019-9514). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9514 https://www.debian.org/lts/security/2020/dla-2485 ======================== Updated packages in core/updates_testing: ======================== golang-golang-org-net-devel-0-0.3.mga7 from golang-golang-org-net-devel-0-0.3.mga7.src.rpm
mga7, x64 Found version 0.2 already installed. /usr/share/doc/golang-golang-org-net-devel/README.md gives no details of how it works or is to be used other than its supplying networking to golang. As a devel package it is probably intended to form part of the programming environment so would be virtually impossible for QA to test. Any go coders out there? Passing this on the basis of a clean install.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
As far as I understand, package golang-googlecode-net-0-0.2.mga7.src.rpm is replaced by golang-golang-org-net-devel-0-0.3.mga7.src.rpm Is this correct?
CC: (none) => ouaurelien
No, the srpm name hasn't changed, it was incorrect in his advisory.
So new should be golang-googlecode-net-0-0.3.mga7.src.rpm ? Because I do see: http://ftp.free.fr/mirrors/mageia.org/distrib/7.1/x86_64/media/core/updates_testing/golang-golang-org-net-devel-0-0.3.mga7.x86_64.rpm
Yes. Replace x86_64/media in your URL with SRPMS.
And I say I'm sorry.
No worries.
Advisory: ======================== Updated golang-googlecode-net package fixes security vulnerabilities: This code was vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both (CVE-2019-9512). This code was vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both (CVE-2019-9514). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9514 https://www.debian.org/lts/security/2020/dla-2485 ======================== Updated packages in core/updates_testing: ======================== golang-golang-org-net-devel-0-0.3.mga7 from golang-googlecode-net-0-0.3.mga7.src.rpm Pushed to SVN. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0468.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED