30117 – golang new security issues CVE-2022-2377[23] and CVE-2022-23806

Bug 30117 - golang new security issues CVE-2022-2377[23] and CVE-2022-23806

Summary: golang new security issues CVE-2022-2377[23] and CVE-2022-23806

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-03-04 19:25 CET by David Walser
Modified:	2022-03-08 00:11 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	golang-1.17.5-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-04 19:25:53 CET

openSUSE has issued an advisory today (March 4):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OPXUBD6DBIW4WEXMYCUH5OXEVJIKJHR4/

The issues are fixed upstream in 1.17.7:
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Mageia 8 is also affected.

David Walser 2022-03-04 19:26:09 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.17.7
CC: (none) => bruno

Comment 1 Bruno Cornec 2022-03-05 02:01:55 CET

cauldron and mg8 updated with golang-1.17.7-1.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-03-05 02:14:13 CET

golang-tests-1.17.7-1.mga8
golang-1.17.7-1.mga8
golang-misc-1.17.7-1.mga8
golang-docs-1.17.7-1.mga8
golang-src-1.17.7-1.mga8
golang-shared-1.17.7-1.mga8
golang-bin-1.17.7-1.mga8

from golang-1.17.7-1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.7 => (none)

Comment 3 Len Lawrence 2022-03-05 09:35:42 CET

mageia8, x86_64

The seven packages updated cleanly.
To test, rebuilt docker in user directory.
Installed mgarepo and bm.

$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source package
succeeded!
$ ll
total 24
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:23 BUILD/
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:23 BUILDROOT/
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:23 RPMS/
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:22 SOURCES/
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:23 SPECS/
drwxr-xr-x 2 lcl lcl 4096 Mar  5 08:23 SRPMS/
$ sudo urpmi --buildrequires SPECS/docker.spec
[...]
66MB of additional disk space will be used.
12MB of packages will be retrieved.
Proceed with the installation of the 46 packages? (Y/n) 

OK so far.

$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source and binary packages
<few minutes wait>
succeeded!

$ ls RPMS/x86_64
docker-20.10.9-3.mga8.x86_64.rpm
docker-devel-20.10.9-3.mga8.x86_64.rpm
docker-fish-completion-20.10.9-3.mga8.x86_64.rpm
docker-logrotate-20.10.9-3.mga8.x86_64.rpm
docker-nano-20.10.9-3.mga8.x86_64.rpm
docker-zsh-completion-20.10.9-3.mga8.x86_64.rpm

golang is working.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Len Lawrence 2022-03-05 09:37:30 CET

And final check:
$ rpm -q docker
docker-20.10.9-3.mga8

Comment 5 Thomas Andrews 2022-03-06 21:39:20 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-07 20:55:43 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-03-08 00:11:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0091.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.