PR#2: Update to fix CVE-2022-27191 - Closes rhbz#2074262 - rpms/golang-x-crypto

rpms / golang-x-crypto

#2 Update to fix CVE-2022-27191 - Closes rhbz#2074262

Merged 3 years ago by fale. Opened 3 years ago by mikelo2.

rpms/ mikelo2/golang-x-crypto cve-2022-27191 into rawhide

Update to fix CVE-2022-27191 - Closes rhbz#2074262

Mikel Olasagasti Uranga • 3 years ago

009f9c8

.gitignore

file modified

		`@@ -4,3 +4,4 @@`
		`/crypto-123391ffb6de907695e1066dc40c1ff09322aeb6.tar.gz`
		`/crypto-eec23a3978adcfd26c29f4153eaa3e3d9b2cc53a.tar.gz`
		`/crypto-5770296d904e90f15f38f77dfc2e43fdf5efc083.tar.gz`
		`+ /crypto-7b82a4e95df4499652dca2c0d4185de9fffbdc8f.tar.gz`

golang-x-crypto.spec

file modified

+7 -3

		`@@ -6,7 +6,7 @@`
		`# https://github.com/golang/crypto`
		`%global goipath golang.org/x/crypto`
		`%global forgeurl https://github.com/golang/crypto`
		`- %global commit 5770296d904e90f15f38f77dfc2e43fdf5efc083`
		`+ %global commit 7b82a4e95df4499652dca2c0d4185de9fffbdc8f`

		`%gometa`

		`@@ -20,7 +20,7 @@`

		`Name: %{goname}`
		`Version: 0`
		`- Release: 0.42%{?dist}`
		`+ Release: 0.43%{?dist}`
		`Summary: Go supplementary cryptography libraries`

		`# Upstream license specification: BSD-3-Clause`
		`@@ -56,6 +56,10 @@`
		`%gopkgfiles`

		`%changelog`
		`+ * Tue Apr 12 2022 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0-0.43.20220412git7b82a4e`
		`+ - Fix CVE-2022-27191`
		`+ - Fix macro-in-changelog warning`
		`+`
		`* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0-0.42`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

		`@@ -183,7 +187,7 @@`
		`* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0-0.4.gitc57d4a7`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild`

		`- * Mon Jun 15 2015 jchaloup <jchaloup@redhat.com> - 0-0.3.git%{shortcommit}`
		`+ * Mon Jun 15 2015 jchaloup <jchaloup@redhat.com> - 0-0.3.git`
		`- Repository has moved to github.com/golang/crypto, updating spec file accordingly`
		`resolves: #1231618`

sources

file modified

+1 -2

		`@@ -1,2 +1,1 @@`
		`- SHA512 (crypto-eec23a3978adcfd26c29f4153eaa3e3d9b2cc53a.tar.gz) = 225d2a1c05854c57ee1aac5a9faeb38c79b7878343c7e500c2d23e83a5d2b30f0871ca77fe0b2fcee795045e18e56fb4f2e851a1d81f9d5941a73f45f9afa20e`
		`- SHA512 (crypto-5770296d904e90f15f38f77dfc2e43fdf5efc083.tar.gz) = c973e3d2c7d08b7cf6583651d39289ec92792400e32250a9a0722733b7083b2456451fa51868067443924a8b6abb22977b6e6d5cdce5145fbe3fa907dafb1a92`
		`+ SHA512 (crypto-7b82a4e95df4499652dca2c0d4185de9fffbdc8f.tar.gz) = 8982b314a422b3015fd879e5252a406e8f341c83bc125fe138c7526f352c2a19b0d66fbb7a1e3b3e1e46fd73ebcfddaa3d5b9823fea76634e071c135f5a4818b`

no initial comment

mikelo2 commented 3 years ago

https://groups.google.com/g/golang-announce/c/-cp44ypCT5s

https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d

https://bugzilla.redhat.com/show_bug.cgi?id=2074262

Edited 3 years ago by mikelo2

fale commented 3 years ago

Thanks Mikelo!

Should we also re-build all packages that depend on x/crypto?

Pull-Request has been merged by fale

3 years ago

mikelo2 commented 3 years ago

Yes. Once this is built for F36 and F35 an override should be created so new builds can be done against the updated version rather than waiting it to hit stable. Using a side-tag would be another option, but I think the override should be enough.