Golang F35 Mini Mass Rebuild

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Fedorians and Gophers,

Later this week, I will be a doing a mass rebuild in F35 for all packages that 
require `golang` and provide binaries to mitigate the following CVEs:

`golang` (affects all go binaries):
-  CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
-  CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
-  CVE-2022-29526 golang: syscall: faccessat checks wrong group
(There are some Go CVEs that are a little bit older that will also be 
mitigated by the rebuild for packages that haven't been updated recently)

CVEs in other golang libraries that affect a subset of Go packages:
- CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang: 
Denial of service using InstrumentHandlerCounter
- CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key

Only packages that provide binaries need to be rebuilt, which will make this 
rebuild less disruptive. Also, note that if your package uses vendored 
dependencies that are affected by the latter two CVEs and haven't been patched, 
you will need to handle this manually by querying upstream to update their 
vendored dependencies (if the bundling is done upstream) and/or fix it 
yourself. Thankfully, the packages don't need rebuilt in a specific order 
(besides golang being first) due to the nature of go, so this will be less 
complicated than, for example, the Python rebuilds.

No action will be required from you, unless your package is affected by the 
aforementioned bundled dep issue, you'd like your package to receive special 
treatment, or if the go-sig doesn't have permissions on your package (see 
below).

I have made a list of affected packages here[1]. I didn't want to paste it into 
this email, as it's pretty long. The list is split into 2 categories:

## go-sig packages

### mergable from Rawhide
For these packages, `rawhide` was determined to be mergable back to `f35`, as 
they were up to date excluding the rebuild commit from when we rebuilt 
`rawhide` a week or two ago.

### Not mergable
These packages were determined to not be mergable, as `rawhide` is ahead of 
(or otherwise has diverged from) `f35`. Therefore, I will create a new rebuild 
commit on `f35`. This will likely cause merge conflicts if you try to merge 
`rawhide` back into `f35` after this change. Assuming the update would be 
compatible and comply with the Updates Policy, I can move your package into 
the other list and merge `rawhide` into `f35`. Please leave a comment on 
https://pagure.io/GoSIG/go-sig/issue/41 if you would like me to do so. 
Conversely, if you believe your package is incorrectly in `### mergeable`, 
also let me know in the aforementioned ticket.

## non-go-sig packages
Neither I personally nor the go-sig has access to these packages, so I will 
query a provenpackager to handle these. To the maintainers of these packages: 
You really should really add go-sig to your package. Not having the 
appropriate permissions delays us from mitigating CVEs in your package and 
generally prevents us from effectively maintaining the Go stack. @fale has 
already sent two reminders. Please see https://lists.fedoraproject.org/
archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/
A4NEHUW52ELDHDMPQDCBSRJXHDPJK2QX/ for more information.

For the benefit of the provenpackager who will handle this, I have compiled the 
same mergable and not mergable lists.

Thank you for your cooperation. I understand that this is a bit disruptive for 
a stable release, but we don't have much of a choice.

[1]: https://pad.snopyta.org/BiFivroxQdqEZsW_tach8A
-- 
Maxwell G (@gotmax23)
Pronouns: He/Him/His

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux