Bug 28228 - golang new security issues CVE-2021-3114 and CVE-2021-3115
Summary: golang new security issues CVE-2021-3114 and CVE-2021-3115
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Joseph Wang
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 29037
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-26 18:36 CET by David Walser
Modified: 2021-07-01 18:29 CEST (History)
2 users (show)

See Also:
Source RPM: golang-1.13.15-3.mga7.src.rpm
CVE: CVE-2021-3114, CVE-2021-3115
Status comment: Fixed upstream in 1.15.7

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-26 18:36:25 CET 
SUSE has issued an advisory today (January 26):
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008246.html

The issues are fixed upstream in 1.15.7.

Mageia 7 may also be affected.
David Walser 2021-01-26 18:36:55 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.15.7

Comment 1 Nicolas Lécureuil 2021-01-27 23:14:56 CET 
patches added in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Comment 2 Aurelien Oudelet 2021-01-28 20:53:19 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => joequant
CVE: (none) => CVE-2021-3114, CVE-2021-3115
Source RPM: golang-1.15.6-1.mga8.src.rpm => golang-1.13.15-3.mga7.src.rpm
CC: (none) => ouaurelien

Comment 3 David Walser 2021-01-30 16:14:24 CET 
openSUSE has issued an advisory for this today (January 30):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5JVN2JM5TB7JXDFH25XPTVDVURPTQ3WB/
Comment 4 David Walser 2021-02-26 16:32:44 CET 
Debian has issued an advisory for the first of these issues on February 8:
https://www.debian.org/security/2021/dsa-4848

They backported the fix to 1.11.x.
David Walser 2021-05-30 03:47:03 CEST

Depends on: (none) => 29037

Comment 5 David Walser 2021-07-01 18:29:35 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.