Bug 30639 - golang new security issues CVE-2022-1705 CVE-2022-1962 CVE-2022-28131 CVE-2022-3063[01235] CVE-2022-32148
Summary: golang new security issues CVE-2022-1705 CVE-2022-1962 CVE-2022-28131 CVE-202...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-15 19:44 CEST by David Walser
Modified: 2022-07-16 21:59 CEST (History)
5 users (show)

See Also:
Source RPM: golang-1.18.3-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-07-15 19:44:37 CEST 
Upstream has issued an advisory on July 12:
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

The issues are fixed upstream in 1.17.12 and 1.18.4.

Mageia 8 is also affected.

Fedora has issued an advisory for this today (July 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUFBL2GZMN756YELNBCPJO3MTCGYXSYH/
David Walser 2022-07-15 19:44:57 CEST

Status comment: (none) => Fixed upstream in 1.17.12 and 1.18.4
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-07-16 02:52:28 CEST 
Updated packages uploaded by Bruno for Mageia 8 and Cauldron.

golang-docs-1.17.12-1.mga8
golang-misc-1.17.12-1.mga8
golang-1.17.12-1.mga8
golang-tests-1.17.12-1.mga8
golang-src-1.17.12-1.mga8
golang-shared-1.17.12-1.mga8
golang-bin-1.17.12-1.mga8

from golang-1.17.12-1.mga8.src.rpm

CC: (none) => bruno
Assignee: bruno => qa-bugs
Status comment: Fixed upstream in 1.17.12 and 1.18.4 => (none)
Whiteboard: MGA8TOO => (none)

Comment 2 Len Lawrence 2022-07-16 10:51:50 CEST 
Cauldron, x64
Had a look for the Cauldron version using "cauldron" in qarepo but it could not find the packages.

mga8, x64
Smooth update.  Local build of docker succeeded.
$ ls RPMS/x86_64
docker-20.10.16-1.mga8.x86_64.rpm
docker-devel-20.10.16-1.mga8.x86_64.rpm
docker-fish-completion-20.10.16-1.mga8.x86_64.rpm
docker-logrotate-20.10.16-1.mga8.x86_64.rpm
docker-nano-20.10.16-1.mga8.x86_64.rpm
docker-zsh-completion-20.10.16-1.mga8.x86_64.rpm

Compare with the installed version:
$ rpm -q docker
docker-20.10.14-3.mga8

Looks good for 64-bits.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 sturmvogel 2022-07-16 10:59:42 CEST 
@Len: You test seems to be for the wrong bug. It better suits bug Bug 30422. Removing MGA(-64-OK.

Whiteboard: MGA8-64-OK => (none)

Thomas Backlund 2022-07-16 11:01:52 CEST

Version: Cauldron => 8

Comment 4 Len Lawrence 2022-07-16 11:14:55 CEST 
@sturmvogel regarding comment 3:
Sorry, I should have been more specific.  The rebuild of docker to exercise golang was suggested long ago.  With terminal logging enabled it is evident that golang is working hard.

These were the packages installed, alongside 42 other golang-related packages:
$ rpm -qa | grep 1.17.12-1
golang-1.17.12-1.mga8
golang-docs-1.17.12-1.mga8
golang-bin-1.17.12-1.mga8
golang-misc-1.17.12-1.mga8
golang-src-1.17.12-1.mga8
golang-tests-1.17.12-1.mga8
golang-shared-1.17.12-1.mga8

Again, apologies.

And, @Thomas - yes, thanks for the correction - forgot where I was.
Comment 5 sturmvogel 2022-07-16 11:21:14 CEST 
Ah ok, understood Len. So your MGA8-64-OK is valid then?
Comment 6 Len Lawrence 2022-07-16 11:37:00 CEST 
Yes, I hope so.  Putting it back.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-07-16 13:32:45 CEST 
Glad you got things straightened out. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-16 17:23:35 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-07-16 21:59:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0262.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.