Summary: | <dev-lang/go-{1.12.17},{1.13.7}: Malformed X509 cert can cause panic (CVE-2020-7919) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-lang/go-1.12.17
|
Runtime testing required: | --- |
Bug Depends on: | 706512, 711552 | ||
Bug Blocks: |
Description
Sam James
2020-03-16 22:00:10 UTC
Bug: https://github.com/golang/go/issues/36837 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. We still need to check status in 1.14.x. (In reply to Thomas Deutschmann from comment #2) > We still need to check status in 1.14.x. >The upcoming Go 1.14rc1 release will also include the fixes above. Go 1.14 has since been released, so we're good there! 1.13.8 is waiting for #711552. I will stabilize 1.12.17 myself. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8515427b17f2c8d3190fcf5e774717df4447b98 commit f8515427b17f2c8d3190fcf5e774717df4447b98 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-03-17 15:30:51 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-03-17 15:33:01 +0000 dev-lang/go: stabilize 1.12.17 Bug: https://bugs.gentoo.org/712924 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/go-1.12.17.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b800340816ed04663391c292786f1a5a3ccd1f29 commit b800340816ed04663391c292786f1a5a3ccd1f29 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-03-17 15:50:51 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-03-17 15:51:19 +0000 dev-lang/go: remove vulnerable 1.12 versions Bug: https://bugs.gentoo.org/712924 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.12.13.ebuild | 246 ------------------------------------------ dev-lang/go/go-1.12.15.ebuild | 246 ------------------------------------------ 3 files changed, 494 deletions(-) (updating whiteboard to reflect waiting for stable). @maintainer(s), please cleanup! Tree is clean. Unable to check for sanity:
> no match for package: dev-lang/go-1.13.8
Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Ping, the tree is clean, so what's the next step? Thanks, William (In reply to William Hubbs from comment #12) > Ping, > > the tree is clean, so what's the next step? > > Thanks, > > William Hi William, Nothing more for you to do - we may GLSA it but that's just on our side. Ignore nattka.. it's still having teething problems with the sec bugs. Thanks! GLSA Vote: No Arches and Maintainer(s), Thank you for your work. |