Bug 29807 - golang new security issues CVE-2021-4471[67]
Summary: golang new security issues CVE-2021-4471[67]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-12-23 17:45 CET by David Walser
Modified: 2021-12-26 01:15 CET (History)
5 users (show)

See Also:
Source RPM: golang-1.17.3-1.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 1.17.5


Attachments

Description David Walser 2021-12-23 17:45:47 CET
SUSE has issued an advisory today (December 23):
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009942.html

The issues are fixed upstream in 1.17.5:
https://groups.google.com/g/golang-announce/c/hcmEScgc00k

Mageia 8 is also affected.
David Walser 2021-12-23 17:46:04 CET

Status comment: (none) => Fixed upstream in 1.17.5
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-12-23 17:57:34 CET
openSUSE has issued an advisory for this today (December 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LSVRDOAVYBVEWAKYWYYNOIQSYE4FHHAJ/
Bruno Cornec 2021-12-23 21:53:42 CET

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2021-12-23 22:04:35 CET
golang 1.17.5 pushed to cauldron.

CC: (none) => bruno

David Walser 2021-12-23 23:18:37 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Bruno Cornec 2021-12-23 23:33:50 CET
Same version pushed to mga8 updates_testing

Assignee: bruno => qa-bugs

Comment 4 David Walser 2021-12-23 23:45:19 CET
golang-docs-1.17.5-1.mga8
golang-misc-1.17.5-1.mga8
golang-1.17.5-1.mga8
golang-tests-1.17.5-1.mga8
golang-src-1.17.5-1.mga8
golang-race-1.17.5-1.mga8
golang-shared-1.17.5-1.mga8
golang-bin-1.17.5-1.mga8

from golang-1.17.5-1.mga8.src.rpm
Comment 5 Len Lawrence 2021-12-24 00:57:44 CET
mga8, x64
So soon?
Updated cleanly via qarepo.
Trying docker build as a test:
$ cd docker
$ rm -rf docker
$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 43: %{shortcommit_moby}

warning: line 119: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
warning: line 121: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source and binary packages
succeeded!
$ ls RPMS/x86_64
docker-20.10.9-3.mga8.x86_64.rpm
docker-devel-20.10.9-3.mga8.x86_64.rpm
docker-fish-completion-20.10.9-3.mga8.x86_64.rpm
docker-logrotate-20.10.9-3.mga8.x86_64.rpm
docker-nano-20.10.9-3.mga8.x86_64.rpm
docker-zsh-completion-20.10.9-3.mga8.x86_64.rpm

OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Len Lawrence 2021-12-24 01:00:15 CET
$ rpm -q golang
golang-1.17.5-1.mga8
Comment 7 Thomas Andrews 2021-12-24 17:36:15 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-25 23:34:56 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2021-12-26 01:15:23 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0587.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.