+++ This bug was initially created as a clone of Bug #32641 +++ That CVE was announced here: https://www.openwall.com/lists/oss-security/2023/12/18/3 https://www.openwall.com/lists/oss-security/2023/12/19/5 https://www.openwall.com/lists/oss-security/2023/12/20/3 Many SSH implementations that are packaged in Mageia are affected: <snip> - golang-x-crypto-0-6.mga9 Should be fixed in v. 0.17.0 https://pkg.go.dev/golang.org/x/crypto@v0.17.0 but I don't find the changelog.
Whiteboard: (none) => MGA9TOO
I have updated golang-x-crypto in cauldron to 0.17.0 which includes the fix, according to https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg As it provides golang-x-crypto-devel which are source files, does it mean that all packages which depend of it have to be rebuild? And then dependencies thereof? In Mageia 9: urpmq --whatrequires golang-x-crypto-devel golang-github-azure-autorest golang-github-azure-autorest-devel golang-github-azure-sdk golang-github-azure-sdk-devel golang-github-cloudflare-circl-devel golang-github-coreos-pkg golang-github-coreos-pkg-devel golang-github-elithrar-simple-scrypt golang-github-elithrar-simple-scrypt-devel golang-github-git-5-devel golang-github-gliderlabs-ssh golang-github-gliderlabs-ssh-devel golang-github-gobuffalo-logger golang-github-gobuffalo-logger-devel golang-github-google-devel golang-github-gophercloud golang-github-gophercloud-devel golang-github-gopherjs-devel golang-github-howeyc-gopass golang-github-howeyc-gopass-devel golang-github-jcmturner-gokrb5 golang-github-jcmturner-gokrb5-devel golang-github-labstack-echo-4 golang-github-labstack-echo-4-devel golang-github-masterminds-sprig golang-github-masterminds-sprig-devel golang-github-minio golang-github-minio-devel golang-github-nats-io-nkeys golang-github-nats-io-nkeys-devel golang-github-nats-io-server-devel golang-github-pkg-sftp golang-github-pkg-sftp-devel golang-github-playground-validator-10-devel golang-github-playground-validator-v10 golang-github-prometheus-exporter-toolkit golang-github-prometheus-exporter-toolkit-devel golang-github-protonmail-crypto-devel golang-github-sagikazarmark-crypt golang-github-sagikazarmark-crypt-devel golang-github-schollz-progressbar-3 golang-github-schollz-progressbar-3-devel golang-github-shopify-toxiproxy golang-github-shopify-toxiproxy-devel golang-github-spf13-afero golang-github-xanzy-ssh-agent golang-github-xanzy-ssh-agent-devel golang-github-xdg-scram golang-github-xdg-scram-devel golang-google-grpc golang-google-grpc-devel golang-gopkg-jcmturner-gokrb5-5 golang-gopkg-jcmturner-gokrb5-5-devel golang-gopkg-jcmturner-gokrb5-7 golang-gopkg-jcmturner-gokrb5-7-devel golang-gopkg-macaron-1 golang-gopkg-macaron-1-devel golang-gopkg-src-d-git-4 golang-gopkg-src-d-git-4-devel golang-mongodb-mongo-driver golang-mongodb-mongo-driver-devel golang-x-build golang-x-build-devel golang-x-crypto-devel golang-x-exp-devel golang-x-mod golang-x-mod-devel nats-server restic
CVE: (none) => CVE-2023-48795
Blocks: (none) => 32748
Blocks: 32748 => (none)
golang-x-crypto-0.17.0-1.mga10 fixed the issue for Cauldron.
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)
(In reply to Nicolas Salguero from comment #2) > golang-x-crypto-0.17.0-1.mga10 fixed the issue for Cauldron. Yes, thanks to papoteur, who already pushed it on January 1st, 2024. Can't it be fixed for Mageia 9?