Bug 31575 - golang new security issues CVE-2022-4172[3-5] and CVE-2023-24532
Summary: golang new security issues CVE-2022-4172[3-5] and CVE-2023-24532
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
: 31692 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-02-19 17:20 CET by David Walser
Modified: 2023-03-24 06:57 CET (History)
6 users (show)

See Also:
Source RPM: golang-1.19.4-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-19 17:20:36 CET 
Go 1.20.1 and Go 1.19.6 have been released on February 14, fixing security issues:
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Fedora has issued an advisory for this on February 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JRXUC3OICW2AVH5PMURCX4EAOCITSPPU/

Mageia 8 is also affected.
David Walser 2023-02-19 17:20:58 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.19.6

Comment 1 Bruno Cornec 2023-02-20 02:38:13 CET 
1.19.6 pushed to mga8 updates_testing.
1.20.1 needs more work to be built for cauldron.

Status: NEW => ASSIGNED

Comment 2 David Walser 2023-02-20 16:48:30 CET 
golang-tests-1.19.6-1.mga8
golang-1.19.6-1.mga8
golang-misc-1.19.6-1.mga8
golang-docs-1.19.6-1.mga8
golang-src-1.19.6-1.mga8
golang-shared-1.19.6-1.mga8
golang-bin-1.19.6-1.mga8

from golang-1.19.6-1.mga8.src.rpm
Comment 3 David Walser 2023-03-15 15:43:35 CET 
Go 1.20.2 and Go 1.19.7 have been released on March 7, fixing a security issue:
https://groups.google.com/g/golang-announce/c/3-TpUx48iQY

SUSE has issued advisories for this on March 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014037.html
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014038.html

Mageia 8 is also affected.

Status comment: Fixed upstream in 1.19.6 => Fixed upstream in 1.19.7
Summary: golang new security issues CVE-2022-4172[3-5] => golang new security issues CVE-2022-4172[3-5] and CVE-2023-24532

Comment 4 sturmvogel 2023-03-17 15:24:04 CET 
*** Bug 31692 has been marked as a duplicate of this bug. ***

CC: (none) => linux

Comment 5 David Walser 2023-03-20 22:13:48 CET 
golang-tests-1.19.7-1.mga8
golang-1.19.7-1.mga8
golang-misc-1.19.7-1.mga8
golang-docs-1.19.7-1.mga8
golang-src-1.19.7-1.mga8
golang-shared-1.19.7-1.mga8
golang-bin-1.19.7-1.mga8

from golang-1.19.7-1.mga8.src.rpm

Cauldron update still pending.
Comment 6 Bruno Cornec 2023-03-21 00:06:54 CET 
I have now also pushed it to updates_testing for cauldron. Still need to have 1.20.x building not done yet.

Status comment: Fixed upstream in 1.19.7 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: bruno => qa-bugs
CC: (none) => bruno

Comment 7 David Walser 2023-03-21 00:22:04 CET 
Note that the Cauldron update still needs to be moved to core/release.
Comment 8 Len Lawrence 2023-03-21 12:06:01 CET 
Mageia8, x86_64
Updated all the packages.
$ rpm -q golang
golang-1.19.7-1.mga8

Rebuilt docker locally to test compiler.
$ cd docker
$ mgarepo co docker
$ bm -s
$ bm -l
....
++ jobs -p
+ exit 0
succeeded!

$ cd RPMS/x86_64
$ ls -l
total 60808
-rw-r--r-- 1 lcl lcl 34777110 Mar 21 10:54 docker-20.10.22-1.mga8.x86_64.rpm
.....

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 9 Thomas Andrews 2023-03-22 00:59:16 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-24 00:22:10 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-03-24 06:57:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0109.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.