Bug 32052 - golang new security issues CVE-2023-2940[2-5]
Summary: golang new security issues CVE-2023-2940[2-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-06-26 22:17 CEST by David Walser
Modified: 2023-07-07 07:56 CEST (History)
6 users (show)

See Also:
Source RPM: golang-1.20.4-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-06-26 22:17:18 CEST
Go 1.20.5 and Go 1.19.10 have been released on June 6, fixing security issues:
https://groups.google.com/g/golang-announce/c/q5135a9d924

Mageia 8 is also affected.

Bruno, if you become aware of a new Golang release before me, please file a bug after checking for the details here:
https://groups.google.com/g/golang-announce
David Walser 2023-06-26 22:17:39 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.19.10 and 1.20.5

Comment 1 Nicolas Lécureuil 2023-06-27 00:24:05 CEST
fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 8

Nicolas Lécureuil 2023-06-27 00:24:45 CEST

Whiteboard: MGA8TOO => (none)

Comment 2 Bruno Cornec 2023-06-27 00:31:32 CEST
(In reply to David Walser from comment #0)
> Bruno, if you become aware of a new Golang release before me, please file a
> bug after checking for the details here:
> https://groups.google.com/g/golang-announce

Sorry, in fact I realized that the version existed when trying to fix a security issue for Kubernetes, where they mentionned that their latest version was built with go 1.20.5. So I decided to upgrade it, but forgot to document that.

Will work on mga8 ASAP.

Thanks Nicolas for the move !

Status: NEW => ASSIGNED

Comment 3 David Walser 2023-06-27 00:47:48 CEST
Nice, good catch!
Comment 4 Bruno Cornec 2023-06-27 01:04:45 CEST
1.19.10 pushed to updates_testing for mga8

FTR I rebuilt golang 1.19.10 with itself without issue.

Assignee: bruno => qa-bugs

Comment 5 David Walser 2023-06-27 01:19:03 CEST
golang-1.19.10-1.mga8
golang-tests-1.19.10-1.mga8
golang-misc-1.19.10-1.mga8
golang-docs-1.19.10-1.mga8
golang-src-1.19.10-1.mga8
golang-shared-1.19.10-1.mga8
golang-bin-1.19.10-1.mga8

from golang-1.19.10-1.mga8.src.rpm

Status comment: Fixed upstream in 1.19.10 and 1.20.5 => (none)
CC: (none) => bruno

Comment 6 Len Lawrence 2023-06-29 02:06:41 CEST
Mageia8, x86_64
Updated all packages without problems.
Tested this in the time-honoured manner by local build of docker.

$ mgarepo co docker
$ cd docker
$ bm -s
$ sudo urpmi --buildrequires SPECS/docker.spec
<That pulled in 52 packages>
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
succeeded!

System version: docker-20.10.22-1.mga8
$ ls RPMS/x86_64
docker-20.10.22-1.mga8.x86_64.rpm

Looks good.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2023-06-30 02:38:16 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:37:10 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-07-07 07:56:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0227.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.