Bug 2149668

Summary: Please update EPEL7 golang to 1.18 / 1.19
Product: [Fedora] Fedora EPEL Reporter: David Trudgian <dtrudg>
Component: golangAssignee: Dave Dykstra <dwd>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: amurdaca, asm, denis, deparker, dwd, eduardo.ramalho, go-sig, jcajka, lemenkov, maxwell
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: golang-1.18.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-09 01:31:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Trudgian 2022-11-30 14:46:55 UTC 
Description of problem:

The version of golang in EPEL7 is currently 1.17.12

1.17.x has fallen out of upstream support, and is not receiving any security fixes from upstream. There are a number of CVE related bugzilla entries:

#2126630 #2126657 #2132874 #2132876 #213878 #2113816

In addition, various popular Go modules often support only the latest two upstream versions of Go, which eventually causes issues building software with older versions of Go.

Version-Release number of selected component (if applicable): 1.17.12


How reproducible: Always


Steps to Reproduce:
1. yum install golang

Actual results:

Version 1.17.12 is installed.


Expected results:

Preferably, a 1.18 / 1.19 version is installed that includes the security fixes from upstream. 

Alternatively, security backports are made to the EPEL7 version of Go.

Additional info:
Comment 1 Dave Dykstra 2022-11-30 19:18:22 UTC 
Hi DT,

I own the golang for EPEL7, because it was getting much further behind than it is now.

My policy is to exactly follow Red Hat's releases in EL8.  In fact I base it almost completely on the centos8-stream rpm .spec files.  So if you want EPEL7 updated, convince Red Hat to update EL8.  Usually they only update it at major 8.X releases or if their is a CVE of significant enough severity. In any case I don't see any point in having EPEL7 ahead of EL8.

Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level.  I don't know how I missed that, although there is a ton of golang email that flies by and most of it isn't relevant.  I do try to look for the tickets that say they apply to EL8 though.  It has only been at most 22 days so I didn't miss it by much:

https://git.centos.org/rpms/golang/history/SPECS/golang.spec?identifier=c8-stream-rhel8

Ah, that corresponds to the release of RHEL 8.7.  Very good.

Dave
Comment 2 David Trudgian 2022-11-30 20:07:21 UTC 
Hi Dave,

> My policy is to exactly follow Red Hat's releases in EL8.

I think that's pretty fair... and yup, it's probably fair that anything about CVEs that aren't specific to EPEL7 is something I should raise on the other packages... arguing for everything being more up-to-date on those and rolling down, rather than have a situation where EPEL7 is ahead of everything else.

> Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level. 

That'd be great at this point.

Cheers,

DT
Comment 3 Dave Dykstra 2022-11-30 21:28:46 UTC 
Note that 1.18.4 has equivalent CVE fixes as 1.17.12 so upgrading to the level of EL8 does not solve any new CVEs (for a change).  That's probably why I didn't see any announcements about RHEL8 upgrading golang.  All the outstanding CVEs are medium or lower so I assume that's why Red Hat did not build a newer version.
Comment 4 Fedora Update System 2022-11-30 21:35:29 UTC 
FEDORA-EPEL-2022-96dbad9cd3 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3
Comment 5 Fedora Update System 2022-12-01 02:39:55 UTC 
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2022-12-09 01:31:31 UTC 
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.