Fedora has issued an advisory on April 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/ Mageia 8 is also affected.
CC: (none) => joequantWhiteboard: (none) => MGA8TOO
already fixed in cauldron
Whiteboard: MGA8TOO => (none)CC: (none) => mageiaVersion: Cauldron => 8
Apparently docker-containerd needs to be rebuilt after fixing this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/
(In reply to David Walser from comment #2) > Apparently docker-containerd needs to be rebuilt after fixing this: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/ and so does golang-github-envoyproxy-protoc-gen-validate: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEX3J6S5PUUNLWYVJJLRZR5OLVQSEG63/
and *possibly* golang-github-grpc-ecosystem-gateway (Fedora's is 2.x): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROCG2IVQDIHQBGYEHNBEBAIBBAJPCP66/
and golang-github-spf13-cobra: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6O2PQN6JSSYP7W2TNO3CHA3MCRVZTCRF/
and golang-gopkg-src-d-git-4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HJDTRAFERVOQ4XRGCNPWBPV4NSEY7AHU/
and golang-x-perf: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY243XWDC6FN2CYDWS6UTH23QFK7O4FB/
SUSE has issued an advisory on May 3: https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html Their docker-containerd was affected by this and another golang-x-crypto issue.
Summary: golang-x-crypto new security issue CVE-2022-27191 => golang-x-crypto new security issues CVE-2021-43565 and CVE-2022-27191
(In reply to David Walser from comment #7) > and golang-x-perf: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/NY243XWDC6FN2CYDWS6UTH23QFK7O4FB/ and golang-x-exp: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSK2WSATFKWMIL25LDCZSLZODLXQ47H4/
Updating to a new git snapshot requires new dependencies, such as golang-x-term, which were not present in Mageia 8. What is the procedure for introducing new packages in updates ?
svn cp svn+ssh://svn.mageia.org/svn/packages/cauldron/golang-x-term svn+ssh://svn.mageia.org/svn/packages/updates/8/ -m 'backport golang-x-term dependency for golang-x-crypto update' Something like that. Then you can mgarepo co it and set the release tag back to 1 if it isn't already.
Built so far by Guillaume: golang-x-term-devel-0-1.mga8 golang-x-crypto-devel-0-0.31.1.mga8 from SRPMS: golang-x-term-0-1.mga8.src.rpm golang-x-crypto-0-0.31.1.mga8.src.rpm Possibly needed rebuilds still pending.
(In reply to David Walser from comment #8) > SUSE has issued an advisory on May 3: > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > Their docker-containerd was affected by this and another golang-x-crypto > issue. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/
Blocks: (none) => 31268
(In reply to David Walser from comment #2) > Apparently docker-containerd needs to be rebuilt after fixing this: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/QEUMK3PSJ5NWTNRYD4NCKCI2QFWD3MIU/ For me docker-containerd is not concerned as patches are related to the ssh subsystem which is not relevant to docker-containerd.
CC: (none) => bruno
Debian-LTS has issued an advisory on June 16: https://www.debian.org/lts/security/2023/dla-3455 It lists some older issues that might affect this.
Blocks: 31268 => (none)
(In reply to David Walser from comment #13) > (In reply to David Walser from comment #8) > > SUSE has issued an advisory on May 3: > > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > > > Their docker-containerd was affected by this and another golang-x-crypto > > issue. > > Equivalent openSUSE advisory: > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/ Bruno, What about this one w.r.t docker-containerd?
(In reply to David Walser from comment #16) > (In reply to David Walser from comment #13) > > (In reply to David Walser from comment #8) > > > SUSE has issued an advisory on May 3: > > > https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html > > > > > > Their docker-containerd was affected by this and another golang-x-crypto > > > issue. > > > > Equivalent openSUSE advisory: > > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > > org/thread/GLQWASKPS7Q4NRXKRDNAWDTE3NI3CGU3/ > > Bruno, > > What about this one w.r.t docker-containerd? My comment has not changed since comment 14: For me docker-containerd is not concerned as patches are related to the ssh subsystem which is not relevant to docker-containerd.
Mageia 8 EOL
CC: (none) => nicolas.salgueroResolution: (none) => OLDStatus: NEW => RESOLVED