Fedora 35 CVE-2022-24675 Moderate: Manifest-Tool Stack Overflow Fix

This tool was mainly created for the purpose of viewing, creating, and

pushing the new manifests list object type in the Docker registry. Manifest

lists are defined in the v2.2 image specification and exist mainly for the

purpose of supporting multi-architecture and/or multi-platform images within

a Docker registry.

Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs

--- This contains the result from the mass rebuild in F35 for all packages that

require `golang` and provide binaries to mitigate the following CVEs: `golang`

itself: - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode -CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar -CVE-2022-29526 golang: syscall: faccessat checks wrong group (There are some Go

CVEs that are a little bit older that will also be mitigated by the rebuild for

packages that haven't been updated recently) CVEs in other golang libraries

that affect a subset of Go packages: - CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang: Denial of service using

InstrumentHandlerCounter - CVE-2022-1996 go-restful: Authorization Bypass

Through User-Controlled Key ---- Initial import for golang-github-a8m-envsubst

Resolves: rhbz#2074406 ---- Initial package Resolves: rhbz#2074438 ----Update to v3.14.0 (close rhbz#2105612) ---- Fix merge ---- Update to 1.22.1

- Close: rhbz#2077577

* Sat Jul 9 2022 Maxwell G - 1.0.3-5

- Rebuild for CVE-2022-{24675,28327,29526} in golang

[ 1 ] Bug #2074406 - Review Request: golang-github-a8m-envsubst - Environment variables substitution for Go

https://bugzilla.redhat.com/show_bug.cgi?id=2074406

[ 2 ] Bug #2074438 - Review Request: golang-github-goccy-yaml - YAML support for the Go language

https://bugzilla.redhat.com/show_bug.cgi?id=2074438

[ 3 ] Bug #2077577 - powerline-go-1.22.1 is available

https://bugzilla.redhat.com/show_bug.cgi?id=2077577

[ 4 ] Bug #2105612 - golang-github-task-3.14.0 is available

https://bugzilla.redhat.com/show_bug.cgi?id=2105612

su -c 'dnf upgrade --advisory FEDORA-2022-3969b64d4b' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure