Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619554 (CVE-2017-8932) - <dev-lang/go-1.8.3: Elliptic curves carry propagation issue in x86-64 P-256
Summary: <dev-lang/go-1.8.3: Elliptic curves carry propagation issue in x86-64 P-256
Status: RESOLVED FIXED
Alias: CVE-2017-8932
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-24 13:49 UTC by Agostino Sarubbo
Modified: 2017-06-15 19:11 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.8.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-24 13:49:24 UTC
From ${URL} :

A carry propagation issue was found in the P-256 implementation for x86-64 in golang.

Upstream issue:

https://github.com/golang/go/issues/20040

Upstream patch:

https://golang.org/cl/41070


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2017-05-24 19:38:24 UTC
I am waiting for the upstream tarball for go-1.8.3.
Comment 2 William Hubbs gentoo-dev 2017-05-25 00:59:12 UTC
@security:
I have added go-1.8.3 to the tree and stabilized on amd64.

Arm and x86 teams, please stabilize.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-04 22:55:07 UTC
@ Arches,

please test and mark stable: =dev-lang/go-1.8.3
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-04 22:59:40 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2017-06-12 18:52:37 UTC
arm stable, all arches done.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-06-13 21:02:16 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop =dev-lang/go-1.8.1!
Comment 7 William Hubbs gentoo-dev 2017-06-15 16:44:01 UTC
Go-1.8.1 has been removed.
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-06-15 19:07:20 UTC
Repository is clean, all done.

@ Arches and Maintainer(s): Thank you for your work.