Bug 30530 - golang new security issue CVE-2022-30629
Summary: golang new security issue CVE-2022-30629
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-06-08 18:40 CEST by David Walser
Modified: 2022-06-16 23:06 CEST (History)
5 users (show)

See Also:
Source RPM: golang-1.18.2-1.mga9.src.rpm
Status comment:


Description David Walser 2022-06-08 18:40:02 CEST
Upstream has released versions 1.7.11 and 1.18.3 on June 1, fixing a security issue:

Mageia 8 is also affected.
David Walser 2022-06-08 18:40:14 CEST

Status comment: (none) => Fixed upstream in 1.17.11
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-06-08 18:52:05 CEST
openSUSE has issued an advisory for this on June 7:
Comment 2 Bruno Cornec 2022-06-13 14:44:07 CEST
1.7.11 pushed to updates_testing
1.18.3 pusshed to cauldron.

Assignee: bruno => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 David Walser 2022-06-13 16:49:50 CEST

from golang-1.17.11-1.mga8.src.rpm

CC: (none) => bruno
Status comment: Fixed upstream in 1.17.11 => (none)

Comment 4 Len Lawrence 2022-06-13 17:08:16 CEST
mga8, x86_64

Problem while updating:
golang-tests-1.17.11-1.mga8.noarch.rpm: Missing signature (OK ((none)))
Do you wnat to continue installation?
-> No

Keywords: (none) => feedback
CC: (none) => tarazed25

Comment 5 Bruno Cornec 2022-06-13 18:15:27 CEST
I think it's the same issue as last time. Maybe the fact that the package is named test prevent signature to happen correctly (just guessing). 

Last time when moving to prod, it wasn't a problem anymore. So maybe for your validation you can say yes in order to install it. Anyway that package won't be tested by the docker rebuild ;-) (so you may even not update it
Comment 6 David Walser 2022-06-13 18:19:39 CEST
Either that or a build system issue.  I've asked for it to be removed and resubmitted.  I think I did the same thing last time.

CC: (none) => sysadmin-bugs

Comment 7 Len Lawrence 2022-06-13 18:49:19 CEST
OK, thanks.  Shall go ahead without the test package.
Comment 8 Len Lawrence 2022-06-13 19:19:25 CEST
urpme'd the existing testing package and installed the rest from qarepo.
Checked out docker from SVN and built a local version using the tried and tested procedure - see bug 30362 etc.
Build requires seemed to be up-to-date and bm proceeded smoothly.

The installed system version is docker-20.10.14-3.mga8 and
$ urpmq -i docker
lists up to 20.10.14.
The test build is 20.10.16-1.
$ cd ~/dev/docker/RPMS/x86_64
$ ls

Assuming this is OK.

Whiteboard: (none) => MGA8-64-OK
Keywords: feedback => (none)

Comment 9 David Walser 2022-06-13 19:27:53 CEST
We still need to make sure that golang-tests is properly signed.

Keywords: (none) => feedback

Comment 10 Dave Hodgins 2022-06-13 21:55:16 CEST
The entire list of packages will need to be retested once the signature
issue is fixed. Downgrade and reinstall the update after it's fixed.

The rebuild that fixes the signature for the golang-tests package might
cause a problem with another package from the same srpm such as a missing
signature. Unlikely, but without testing we won't know.

Whiteboard: MGA8-64-OK => (none)
CC: (none) => davidwhodgins

Comment 11 Thomas Backlund 2022-06-13 22:09:09 CEST
golang-tests-1.17.11-1.mga8 re-signed on primary mirror

Keywords: feedback => (none)
Whiteboard: (none) => MGA8-64-OK

Comment 12 Len Lawrence 2022-06-14 00:36:13 CEST
Thanks - I shall catch up with it tomorrow.
Len Lawrence 2022-06-14 00:40:45 CEST

Whiteboard: MGA8-64-OK => (none)

David Walser 2022-06-14 00:45:49 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 13 David Walser 2022-06-14 00:46:19 CEST
Tests are still valid...tmb didn't rebuild it, just signed the one unsigned rpm.
Comment 14 Thomas Andrews 2022-06-14 14:02:21 CEST
I'm going to hope that something has been noted somewhere so that this issue doesn't come up in the next golang update.


CC: (none) => andrewsfarm
Keywords: (none) => validated_update

Comment 15 Len Lawrence 2022-06-14 14:40:39 CEST
Moved to another machine and repeated the whole process.  No certificate problems this time and the test rebuild went fine.
Dave Hodgins 2022-06-14 15:04:46 CEST

Keywords: (none) => advisory

Comment 16 Mageia Robot 2022-06-16 23:06:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.