Upstream has announced 1.17.9 on April 12, fixing security issues: https://groups.google.com/g/golang-announce/c/oecdBNLOml8 Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.17.9Whiteboard: (none) => MGA8TOO
openSUSE has issued an advisory on April 26: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/
joequant updated cauldron. I did the proposal of update for mga8: SRPMS/golang-1.17.9-1.mga8.src.rpm
CC: (none) => brunoWhiteboard: MGA8TOO => (none)Assignee: bruno => qa-bugsVersion: Cauldron => 8Status: NEW => ASSIGNED
golang-tests-1.17.9-1.mga8 golang-1.17.9-1.mga8 golang-misc-1.17.9-1.mga8 golang-docs-1.17.9-1.mga8 golang-src-1.17.9-1.mga8 golang-shared-1.17.9-1.mga8 golang-bin-1.17.9-1.mga8 from golang-1.17.9-1.mga8.src.rpm
Status comment: Fixed upstream in 1.17.9 => (none)
mga8, x64. On update, something about a missing signature, but it was possible to install all of the packages and build docker as a test. $ mgarepo co docker $ cd docker $ bm -s creating package list processing package %{origname}-%{moby_version}-%mkrel 3 building source package succeeded! $ sudo urpmi --buildrequires SPECS/docker.spec <Pulled in 49 packages> $ bm creating package list processing package %{origname}-%{moby_version}-%mkrel 3 building source and binary packages succeeded! $ ls RPMS/x86_64 docker-20.10.14-3.mga8.x86_64.rpm docker-devel-20.10.14-3.mga8.x86_64.rpm docker-fish-completion-20.10.14-3.mga8.x86_64.rpm docker-logrotate-20.10.14-3.mga8.x86_64.rpm docker-nano-20.10.14-3.mga8.x86_64.rpm docker-zsh-completion-20.10.14-3.mga8.x86_64.rpm As reliable as ever but the initial error needs to be captured. Shall check that on another machine.
CC: (none) => tarazed25
The following packages have bad signatures: /var/cache/urpmi/rpms/golang-misc-1.17.9-1.mga8.noarch.rpm: Missing signature (OK ((none))) /var/cache/urpmi/rpms/golang-src-1.17.9-1.mga8.noarch.rpm: Missing signature (OK ((none)))
CC: (none) => davidwhodgins
Beat me to it.
Keywords: (none) => feedback
I have no idea why the packages have not all been signed correctly, but this is outside of what I can fix ;-) This is unrelated to the issue here. Let's assume that won't happen when packages are move to updates after validation.
We may need a sysadmin to delete and resubmit it.
CC: (none) => sysadmin-bugs
Tried the suggestion to use `urpmi --clean` and reverted to golang-1.17.8-1. Tried again and hit the same two missing certificates. So comment 8 still applies.
Deleted and resubmitted to the build system. Should get signed properly this time.
Keywords: feedback => (none)
Thanks David. Repeated the update starting with qarepo. The installation succeeded without any error messages. Not strictly necessary to repeat the docker rebuild but did it anyway. No problems.
Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarmKeywords: (none) => validated_update
CVE-2022-27536 appears to be for mac os only, so I've excluded it from the advisory. Advisory committed to svn as ... type: security subject: Updated golang packages fix security vulnerability CVE: - CVE-2022-24675 - CVE-2022-28327 src: 8: core: - golang-1.17.9-1.mga8 description: | encoding/pem: fix stack overflow in Decode. A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash (CVE-2022-24675) crypto/elliptic: tolerate all oversized scalars in generic P-256. A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. (CVE-2022-28327) references: - https://bugs.mageia.org/show_bug.cgi?id=30362 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0171.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED