Bug 29717 - golang new security issues CVE-2021-4177[12]
Summary: golang new security issues CVE-2021-4177[12]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-12-01 23:24 CET by David Walser
Modified: 2021-12-03 19:46 CET (History)
6 users (show)

See Also:
Source RPM: golang-1.17.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
hello testfile (74 bytes, text/plain)
2021-12-02 14:41 CET, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-01 23:24:41 CET 
SUSE has issued an advisory today (December 1):
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009791.html

The issues are fixed upstream in 1.17.3:
https://groups.google.com/g/golang-announce/c/0fM21h43arc

Mageia 8 is also affected.
David Walser 2021-12-01 23:25:04 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.17.3

Comment 1 David Walser 2021-12-01 23:33:20 CET 
openSUSE has issued an advisory for this today (December 1):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DRORBGLIRSYNYTIE3EARJHAXYB2X5YQ3/
Comment 2 Bruno Cornec 2021-12-01 23:34:54 CET 
Working on it

Status: NEW => ASSIGNED

Bruno Cornec 2021-12-01 23:35:04 CET

CC: (none) => bruno

Comment 3 Bruno Cornec 2021-12-01 23:51:42 CET 
1.17.3 pushed to both cauldron and mga8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: bruno => qa-bugs

Comment 4 David Walser 2021-12-02 00:09:03 CET 
Thanks Bruno.

golang-docs-1.17.3-1.mga8
golang-misc-1.17.3-1.mga8
golang-1.17.3-1.mga8
golang-tests-1.17.3-1.mga8
golang-src-1.17.3-1.mga8
golang-shared-1.17.3-1.mga8
golang-bin-1.17.3-1.mga8

from golang-1.17.3-1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.3 => (none)

Comment 5 Herman Viaene 2021-12-02 14:40:57 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 29526 Comment 8, but most of it is way above me. Found hello.go at https://go.dev/tour/welcome/1 (I will attach it)
$ go run hello.go 
Hello, 世界

Looks OK, but leaving to the experts to judge whether this is good enough.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2021-12-02 14:41:32 CET 
Created attachment 13016 [details]
hello testfile
Comment 7 Len Lawrence 2021-12-02 18:16:17 CET 
Thanks Herman.  Just going to build docker after updating the seven packages.  That is our usual test.
Yep.  That went very well.  Local build of docker in user directory.  No errors.
It produced a lot of files.
$ du -hs .
274M	.

$ ls RPMS/x86_64
docker-20.10.9-3.mga8.x86_64.rpm
docker-devel-20.10.9-3.mga8.x86_64.rpm
docker-fish-completion-20.10.9-3.mga8.x86_64.rpm
docker-logrotate-20.10.9-3.mga8.x86_64.rpm
docker-nano-20.10.9-3.mga8.x86_64.rpm
docker-zsh-completion-20.10.9-3.mga8.x86_64.rpm

This is OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 8 Thomas Andrews 2021-12-02 21:02:45 CET 
 I built docker once for a test with Foolishness, my 32-bit Inspiron, because the particular issue was for 32-bits. It was an... Interesting experience. Not one I wish to repeat unless it's necessary.

I think one arch is sufficient this time. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-03 17:56:57 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-12-03 19:46:55 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0537.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.