32052 – golang new security issues CVE-2023-2940[2-5]

Bug 32052 - golang new security issues CVE-2023-2940[2-5]

Summary: golang new security issues CVE-2023-2940[2-5]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-06-26 22:17 CEST by David Walser
Modified:	2023-07-07 07:56 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	golang-1.20.4-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-26 22:17:18 CEST

Go 1.20.5 and Go 1.19.10 have been released on June 6, fixing security issues:
https://groups.google.com/g/golang-announce/c/q5135a9d924

Mageia 8 is also affected.

Bruno, if you become aware of a new Golang release before me, please file a bug after checking for the details here:
https://groups.google.com/g/golang-announce

David Walser 2023-06-26 22:17:39 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.19.10 and 1.20.5

Comment 1 Nicolas Lécureuil 2023-06-27 00:24:05 CEST

fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 8

Nicolas Lécureuil 2023-06-27 00:24:45 CEST

Whiteboard: MGA8TOO => (none)

Comment 2 Bruno Cornec 2023-06-27 00:31:32 CEST

(In reply to David Walser from comment #0)
> Bruno, if you become aware of a new Golang release before me, please file a
> bug after checking for the details here:
> https://groups.google.com/g/golang-announce

Sorry, in fact I realized that the version existed when trying to fix a security issue for Kubernetes, where they mentionned that their latest version was built with go 1.20.5. So I decided to upgrade it, but forgot to document that.

Will work on mga8 ASAP.

Thanks Nicolas for the move !

Status: NEW => ASSIGNED

Comment 3 David Walser 2023-06-27 00:47:48 CEST

Nice, good catch!

Comment 4 Bruno Cornec 2023-06-27 01:04:45 CEST

1.19.10 pushed to updates_testing for mga8

FTR I rebuilt golang 1.19.10 with itself without issue.

Assignee: bruno => qa-bugs

Comment 5 David Walser 2023-06-27 01:19:03 CEST

golang-1.19.10-1.mga8
golang-tests-1.19.10-1.mga8
golang-misc-1.19.10-1.mga8
golang-docs-1.19.10-1.mga8
golang-src-1.19.10-1.mga8
golang-shared-1.19.10-1.mga8
golang-bin-1.19.10-1.mga8

from golang-1.19.10-1.mga8.src.rpm

Status comment: Fixed upstream in 1.19.10 and 1.20.5 => (none)
CC: (none) => bruno

Comment 6 Len Lawrence 2023-06-29 02:06:41 CEST

Mageia8, x86_64
Updated all packages without problems.
Tested this in the time-honoured manner by local build of docker.

$ mgarepo co docker
$ cd docker
$ bm -s
$ sudo urpmi --buildrequires SPECS/docker.spec
<That pulled in 52 packages>
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
succeeded!

System version: docker-20.10.22-1.mga8
$ ls RPMS/x86_64
docker-20.10.22-1.mga8.x86_64.rpm

Looks good.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2023-06-30 02:38:16 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:37:10 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-07-07 07:56:48 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0227.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.