Golang has issued an advisory on September 9: https://groups.google.com/g/golang-announce/c/dx9d7IOseHw The issue is fixed upstream in 1.16.8. 1.15.x is also affected. They also made an announcement of an upcoming advisory and 1.16.9 release today (October 4) which will be released on October 7: https://groups.google.com/g/golang-announce/c/7efr4VBoZIw Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assigning to the registered maintainer.
Assignee: bugsquad => joequantCC: (none) => marja11
CC: (none) => bruno
openSUSE has issued an advisory for this on October 6: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5EY52N4KALEDKULS6YHUPW2C7OJTGHTS/
pushed into mga8/9 src: - golang-1.15.15-1.1.mga8
Version: Cauldron => 8Assignee: joequant => qa-bugsCC: (none) => joequant, mageia
(In reply to David Walser from comment #0) > They also made an announcement of an upcoming advisory and 1.16.9 release > today (October 4) which will be released on October 7: > https://groups.google.com/g/golang-announce/c/7efr4VBoZIw Here's the announcement from October 7: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A Cauldron needs to be updated again to 1.16.9. I'm not sure if Mageia 8 is affected by this new issue.
Summary: golang new security issue CVE-2021-39293 => golang new security issues CVE-2021-39293 and CVE-2021-38297Assignee: qa-bugs => mageiaVersion: 8 => Cauldron
golang-1.17.2-1.mga9 uploaded for Cauldron by Bruno.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
same version uploaded for mga8 into update_testing
Assignee: mageia => qa-bugsStatus: NEW => ASSIGNED
golang-docs-1.17.2-1.mga8 golang-misc-1.17.2-1.mga8 golang-tests-1.17.2-1.mga8 golang-src-1.17.2-1.mga8 golang-race-1.17.2-1.mga8 golang-shared-1.17.2-1.mga8 golang-bin-1.17.2-1.mga8 from golang-1.17.2-1.mga8.src.rpm
mga8, x64 Installed listed golang components. $ go version go version go1.15.15 linux/amd64 Set GOPATH and GOROOT variables. $ go run src/hello.go Good morning QA !AQ gninrom dooG Updated the files from updates testing. qarepo failed on four of the files - rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104) Tried again and received the rest of the files but failed on the pubkey. Tried again and the pubkey was received. Proceeded with MageiaUpdate and that failed. This keeps happening so I am abandoning qarepo. Installed all the packages manually. $ rpm -qa | grep golang golang-docs-1.17.2-1.mga8 golang-1.17.2-1.mga8 golang-tests-1.17.2-1.mga8 golang-bin-1.17.2-1.mga8 golang-race-1.17.2-1.mga8 golang-misc-1.17.2-1.mga8 golang-src-1.17.2-1.mga8 golang-shared-1.17.2-1.mga8 Ran the helloworld test - OK. Built docker using mgarepo and the build machine. $ mgarepo co docker $ cd docker $ bm -s creating package list processing package %{origname}-%{moby_version}-%mkrel 1 building source package succeeded! $ sudo urpmi --buildrequires SPECS/docker.spec ................. Proceed with the installation of the 59 packages? (Y/n) $ bm creating package list processing package %{origname}-%{moby_version}-%mkrel 1 building source and binary packages succeeded! $ cd RPMS/x86_64 $ ls docker-20.10.9-1.mga8.x86_64.rpm docker-devel-20.10.9-1.mga8.x86_64.rpm docker-fish-completion-20.10.9-1.mga8.x86_64.rpm docker-logrotate-20.10.9-1.mga8.x86_64.rpm docker-nano-20.10.9-1.mga8.x86_64.rpm docker-zsh-completion-20.10.9-1.mga8.x86_64.rpm Giving this the go-ahead and validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => tarazed25, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0475.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED