Bug 33526 - golang new security issues CVE-2024-34155, CVE-2024-34156 and CVE-2024-34158
Summary: golang new security issues CVE-2024-34155, CVE-2024-34156 and CVE-2024-34158
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
: 33665 (view as bug list)
Depends on:
Blocks: 33143
  Show dependency treegraph
 
Reported: 2024-09-06 09:20 CEST by Nicolas Salguero
Modified: 2024-11-27 21:00 CET (History)
3 users (show)

See Also:
Source RPM: golang-1.21.12-1.mga9.src.rpm
CVE: CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
Status comment: No fix yet for golang 1.21.x

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-06 09:20:33 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/09/05/1

They talk about Go 1.23.x and 1.22.x but not about 1.21.x so I am not sure if Mageia 9 is affected or not.
Nicolas Salguero 2024-09-06 09:21:04 CEST

Source RPM: (none) => golang-1.23.0-1.mga10.src.rpm
CVE: (none) => CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
Status comment: (none) => Fixed upstream in 1.23.1

Comment 1 Lewis Smith 2024-09-06 20:39:44 CEST 
Assigning to Stig who currently nurses Golang.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2024-09-06 21:37:11 CEST 
Perhaps this could be the perfect excuse to update golang on mga9 to 1.23.1 so that it, too, is a good development environment for a bit longer.
Comment 3 Nicolas Salguero 2024-10-23 16:11:31 CEST 
*** Bug 33665 has been marked as a duplicate of this bug. ***
Nicolas Salguero 2024-10-23 16:12:34 CEST

Status comment: Fixed upstream in 1.23.1 => No fix yet for golang 1.21.x
Source RPM: golang-1.23.0-1.mga10.src.rpm => golang-1.21.12-1.mga9.src.rpm
Version: Cauldron => 9

Nicolas Salguero 2024-11-26 09:32:15 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33143

Bruno Cornec 2024-11-27 00:11:13 CET

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 4 Bruno Cornec 2024-11-27 00:13:31 CET 
(In reply to Stig-Ørjan Smelror from comment #2)
> Perhaps this could be the perfect excuse to update golang on mga9 to 1.23.1
> so that it, too, is a good development environment for a bit longer.

I'm working on rebuilding 1.22.9 in order to stay the nearest possible from what we already have in mga9, and not jump to far. 1.23.x should definitely be what we have in cauldron.

Of course, if you really prefer 1.23.3, we could do it as well, hoping there is no other impact.
Bruno Cornec 2024-11-27 00:54:35 CET

Blocks: (none) => 33143

Comment 5 Bruno Cornec 2024-11-27 00:56:51 CET 
RPMS/noarch/golang-docs-1.22.9-1.mga9.noarch.rpm
RPMS/noarch/golang-misc-1.22.9-1.mga9.noarch.rpm
RPMS/noarch/golang-src-1.22.9-1.mga9.noarch.rpm
RPMS/noarch/golang-tests-1.22.9-1.mga9.noarch.rpm
RPMS/x86_64/golang-1.22.9-1.mga9.x86_64.rpm
RPMS/x86_64/golang-bin-1.22.9-1.mga9.x86_64.rpm
RPMS/x86_64/golang-shared-1.22.9-1.mga9.x86_64.rpm

SRPMS/golang-1.22.9-1.mga9.src.rpm

pushed to updates_testing.
Rebuild successfully docker and k8s locally with it.

Assignee: smelror => qa-bugs

katnatek 2024-11-27 02:16:45 CET

Keywords: (none) => advisory

Comment 6 katnatek 2024-11-27 18:17:38 CET 
RH x86_64

Used to build docker

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 7 Thomas Andrews 2024-11-27 19:00:23 CET 
That is Len's go-to test for golang.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-11-27 21:00:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0376.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.