Fedora 35: 2022-3969b64d4b Moderate: Golang DoS and Stack Overflow

Wire is a code generation tool that automates connecting components using

dependency injection. Dependencies between components are represented in Wire as

function parameters, encouraging explicit initialization instead of global

variables. Because Wire operates without runtime state or reflection, code

written to be used with Wire is useful even for hand-written initialization.

Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs

--- This contains the result from the mass rebuild in F35 for all packages that

require `golang` and provide binaries to mitigate the following CVEs: `golang`

itself: - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode -CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar -CVE-2022-29526 golang: syscall: faccessat checks wrong group (There are some Go

CVEs that are a little bit older that will also be mitigated by the rebuild for

packages that haven't been updated recently) CVEs in other golang libraries

that affect a subset of Go packages: - CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang: Denial of service using

InstrumentHandlerCounter - CVE-2022-1996 go-restful: Authorization Bypass

Through User-Controlled Key ---- Initial import for golang-github-a8m-envsubst

Resolves: rhbz#2074406 ---- Initial package Resolves: rhbz#2074438 ----Update to v3.14.0 (close rhbz#2105612) ---- Fix merge ---- Update to 1.22.1

- Close: rhbz#2077577

* Sat Jul 9 2022 Maxwell G - 0.4.0-6

- Rebuild for CVE-2022-{24675,28327,29526 in golang}

* Sat Jul 9 2022 Maxwell G - 0.4.0-5

- Rebuild for CVE-2022-{24675,28327,29526} in golang

[ 1 ] Bug #2074406 - Review Request: golang-github-a8m-envsubst - Environment variables substitution for Go

https://bugzilla.redhat.com/show_bug.cgi?id=2074406

[ 2 ] Bug #2074438 - Review Request: golang-github-goccy-yaml - YAML support for the Go language

https://bugzilla.redhat.com/show_bug.cgi?id=2074438

[ 3 ] Bug #2077577 - powerline-go-1.22.1 is available

https://bugzilla.redhat.com/show_bug.cgi?id=2077577

[ 4 ] Bug #2105612 - golang-github-task-3.14.0 is available

https://bugzilla.redhat.com/show_bug.cgi?id=2105612

su -c 'dnf upgrade --advisory FEDORA-2022-3969b64d4b' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure