Bug 2325331

Summary: fscrypt being built with vulnerable golang version 1.23rc1
Product: [Fedora] Fedora Reporter: secureblue <secureblueadmin>
Component: fscryptAssignee: Neal Gompa <ngompa13>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 41CC: davide, go-sig, michel, ngompa13
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: fscrypt-0.3.5-2.fc41 fscrypt-0.3.5-2.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-05 01:14:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description secureblue 2024-11-11 21:21:25 UTC 
I've been scanning our F41-based images with trivy and noticed several findings for fscrypt and pam_fscrypt pointing to an out of date golang version: 1.23rc1

At first I thought this might be a false positive, since Fedora's golang is on 1.23.2.

However, looking into the build logs, it appears this finding is correct:

```
/usr/lib/golang/pkg/tool/linux_amd64/compile -o $WORK/b007/_pkg_.a -trimpath "$WORK/b007=>" -p internal/goarch -lang=go1.23 -std -complete -installsuffix shared -buildid AFwWSUYVgrr8hhtoNEpr/AFwWSUYVgrr8hhtoNEpr -goversion go1.23rc1 ....
```

https://kojipkgs.fedoraproject.org//packages/fscrypt/0.3.4/6.fc41/data/logs/x86_64/build.log

Reproducible: Always
Comment 1 Fedora Update System 2025-02-24 22:21:41 UTC 
FEDORA-2025-5b3bbee81c (fscrypt-0.3.5-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b3bbee81c
Comment 2 Fedora Update System 2025-02-24 22:21:41 UTC 
FEDORA-2025-fc7c0ca5c5 (fscrypt-0.3.5-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-fc7c0ca5c5
Comment 3 Fedora Update System 2025-02-25 01:06:49 UTC 
FEDORA-2025-5b3bbee81c has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-5b3bbee81c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b3bbee81c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2025-02-25 01:42:38 UTC 
FEDORA-2025-fc7c0ca5c5 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-fc7c0ca5c5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-fc7c0ca5c5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2025-03-05 01:14:48 UTC 
FEDORA-2025-fc7c0ca5c5 (fscrypt-0.3.5-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2025-03-15 00:30:18 UTC 
FEDORA-2025-5b3bbee81c (fscrypt-0.3.5-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.