Bug 30469 - golang new security issue CVE-2022-29526
Summary: golang new security issue CVE-2022-29526
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-24 17:33 CEST by David Walser
Modified: 2022-05-28 10:57 CEST (History)
5 users (show)

See Also:
Source RPM: golang-1.17.9-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-24 17:33:41 CEST 
Upstream has announced versions 1.17.10 and 1.18.2 on May 10, fixing a security issue:
https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU

openSUSE has issued an advisory for this today (May 24):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H2A43RISVL27M3ODDCLLDJKV265ATZ43/

Mageia 8 is also affected.
David Walser 2022-05-24 17:34:09 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.17.10 and 1.18.2

Comment 1 Bruno Cornec 2022-05-26 01:48:44 CEST 
go 1.18.2 pushed to cauldron

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2022-05-26 02:04:41 CEST 
go 1.17.10 pushed now to updates_testing for mga8.

Version: Cauldron => 8
Assignee: bruno => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => bruno

Comment 3 David Walser 2022-05-26 03:12:36 CEST 
golang-tests-1.17.10-1.mga8
golang-1.17.10-1.mga8
golang-misc-1.17.10-1.mga8
golang-docs-1.17.10-1.mga8
golang-src-1.17.10-1.mga8
golang-shared-1.17.10-1.mga8
golang-bin-1.17.10-1.mga8

from golang-1.17.10-1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.10 and 1.18.2 => (none)
Source RPM: golang-1.17.9-1.mga8.src.rpm, golang-1.18.1-1.mga9.src.rpm => golang-1.17.9-1.mga8.src.rpm

Comment 4 Len Lawrence 2022-05-26 08:07:27 CEST 
mga8, x64

Getting to be a bit of a habit this.
Smooth update of the seven packages via qarepo.
$ rpm -q golang
golang-1.17.10-1.mga8

Tested by building docker in <user>/dev.
$ cd dev
$ rm -rf docker
$ mgarepo co docker
$ ls docker
SOURCES/  SPECS/
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 43: %{shortcommit_moby}
warning: line 119: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
warning: line 121: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
<Don't know if these problems are caused by packaging or already installed packages>
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
succeeded!
$ ls RPMS/x86_64
docker-20.10.16-1.mga8.x86_64.rpm
docker-devel-20.10.16-1.mga8.x86_64.rpm
docker-fish-completion-20.10.16-1.mga8.x86_64.rpm
docker-logrotate-20.10.16-1.mga8.x86_64.rpm
docker-nano-20.10.16-1.mga8.x86_64.rpm
docker-zsh-completion-20.10.16-1.mga8.x86_64.rpm

compared with:
$ rpm -q docker
docker-20.10.14-3.mga8

So golang looks good for complex tasks.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-05-27 03:11:52 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-27 04:05:24 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-28 10:57:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0210.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.