That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/04/05/4 The problem is fixed in 1.21.9 (and 1.22.2, which is already built for Cauldron, so only Mageia 9 is affected).
CVE: (none) => CVE-2023-45288Source RPM: (none) => golang-1.21.7-1.1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.21.9
Assigning to Stig who normally maintains Golang.
Assignee: bugsquad => smelror
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33076
Blocks: (none) => 33087
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33087
Blocks: 33087 => (none)
Advisory ======== Golang has been updated to version 1.21.9 to fix CVE-2023-45288. CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. References ========== https://www.openwall.com/lists/oss-security/2024/04/05/4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288 Files ===== Uploaded to core/updates_testing golang-misc-1.21.9-1.mga9 golang-docs-1.21.9-1.mga9 golang-1.21.9-1.mga9 golang-tests-1.21.9-1.mga9 golang-src-1.21.9-1.mga9 golang-bin-1.21.9-1.mga9 golang-shared-1.21.9-1.mga9 from golang-1.21.9-1.mga9.src.rpm
Assignee: smelror => qa-bugs
Mageia9, x64 $ rpm -qa | grep golang golang-src-1.21.7-1.1.mga9 golang-bin-1.21.7-1.1.mga9 golang-1.21.7-1.1.mga9 golang-misc-1.21.7-1.1.mga9 golang-docs-1.21.7-1.1.mga9 golang-tests-1.21.7-1.1.mga9 golang-shared-1.21.7-1.1.mga9 Ran the update via qarepo etc without issues. $ rpm -q golang golang-1.21.9-1.mga9 A docker rebuild is the standard way to test golang but have hit a snag. Cannot access svn, at all, not even svn up from mgaadvisories.
CC: (none) => tarazed25
Keywords: (none) => advisory
SVN back in action. Checked out docker and followed the usual recipe and built current docker without a hitch. Along the way another 366 golang components were hauled in. In docker build directory, $ cd RPMS/x86_64 $ ls docker-24.0.5-5.mga9.x86_64.rpm docker-devel-24.0.5-5.mga9.x86_64.rpm docker-fish-completion-24.0.5-5.mga9.x86_64.rpm docker-logrotate-24.0.5-5.mga9.x86_64.rpm docker-nano-24.0.5-5.mga9.x86_64.rpm docker-zsh-completion-24.0.5-5.mga9.x86_64.rpm For comparison; $ rpm -q docker docker-24.0.5-4.mga9 So it looks like it is ahead of the curve. Anyway, golang passes with flying colours.
Whiteboard: (none) => MGA64-OK
Whiteboard: MGA64-OK => MGA9-64-OK
Thank you, Len. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0128.html
Status: NEW => RESOLVEDResolution: (none) => FIXED