Hi Fedorians and Gophers, Later this week, I will be a doing a mass rebuild in F35 for all packages that require `golang` and provide binaries to mitigate the following CVEs:
`golang` (affects all go binaries): - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar - CVE-2022-29526 golang: syscall: faccessat checks wrong group (There are some Go CVEs that are a little bit older that will also be mitigated by the rebuild for packages that haven't been updated recently) CVEs in other golang libraries that affect a subset of Go packages: - CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang: Denial of service using InstrumentHandlerCounter - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key Only packages that provide binaries need to be rebuilt, which will make this rebuild less disruptive. Also, note that if your package uses vendored dependencies that are affected by the latter two CVEs and haven't been patched, you will need to handle this manually by querying upstream to update their vendored dependencies (if the bundling is done upstream) and/or fix it yourself. Thankfully, the packages don't need rebuilt in a specific order (besides golang being first) due to the nature of go, so this will be less complicated than, for example, the Python rebuilds. No action will be required from you, unless your package is affected by the aforementioned bundled dep issue, you'd like your package to receive special treatment, or if the go-sig doesn't have permissions on your package (see below). I have made a list of affected packages here[1]. I didn't want to paste it into this email, as it's pretty long. The list is split into 2 categories: ## go-sig packages ### mergable from Rawhide For these packages, `rawhide` was determined to be mergable back to `f35`, as they were up to date excluding the rebuild commit from when we rebuilt `rawhide` a week or two ago. ### Not mergable These packages were determined to not be mergable, as `rawhide` is ahead of (or otherwise has diverged from) `f35`. Therefore, I will create a new rebuild commit on `f35`. This will likely cause merge conflicts if you try to merge `rawhide` back into `f35` after this change. Assuming the update would be compatible and comply with the Updates Policy, I can move your package into the other list and merge `rawhide` into `f35`. Please leave a comment on https://pagure.io/GoSIG/go-sig/issue/41 if you would like me to do so. Conversely, if you believe your package is incorrectly in `### mergeable`, also let me know in the aforementioned ticket. ## non-go-sig packages Neither I personally nor the go-sig has access to these packages, so I will query a provenpackager to handle these. To the maintainers of these packages: You really should really add go-sig to your package. Not having the appropriate permissions delays us from mitigating CVEs in your package and generally prevents us from effectively maintaining the Go stack. @fale has already sent two reminders. Please see https://lists.fedoraproject.org/ archives/list/devel@lists.fedoraproject.org/message/ A4NEHUW52ELDHDMPQDCBSRJXHDPJK2QX/ for more information. For the benefit of the provenpackager who will handle this, I have compiled the same mergable and not mergable lists. Thank you for your cooperation. I understand that this is a bit disruptive for a stable release, but we don't have much of a choice. [1]: https://pad.snopyta.org/BiFivroxQdqEZsW_tach8A -- Maxwell G (@gotmax23) Pronouns: He/Him/His
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
