Description of problem: The version of golang in EPEL7 is currently 1.17.12 1.17.x has fallen out of upstream support, and is not receiving any security fixes from upstream. There are a number of CVE related bugzilla entries: #2126630 #2126657 #2132874 #2132876 #213878 #2113816 In addition, various popular Go modules often support only the latest two upstream versions of Go, which eventually causes issues building software with older versions of Go. Version-Release number of selected component (if applicable): 1.17.12 How reproducible: Always Steps to Reproduce: 1. yum install golang Actual results: Version 1.17.12 is installed. Expected results: Preferably, a 1.18 / 1.19 version is installed that includes the security fixes from upstream. Alternatively, security backports are made to the EPEL7 version of Go. Additional info:
Hi DT, I own the golang for EPEL7, because it was getting much further behind than it is now. My policy is to exactly follow Red Hat's releases in EL8. In fact I base it almost completely on the centos8-stream rpm .spec files. So if you want EPEL7 updated, convince Red Hat to update EL8. Usually they only update it at major 8.X releases or if their is a CVE of significant enough severity. In any case I don't see any point in having EPEL7 ahead of EL8. Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level. I don't know how I missed that, although there is a ton of golang email that flies by and most of it isn't relevant. I do try to look for the tickets that say they apply to EL8 though. It has only been at most 22 days so I didn't miss it by much: https://git.centos.org/rpms/golang/history/SPECS/golang.spec?identifier=c8-stream-rhel8 Ah, that corresponds to the release of RHEL 8.7. Very good. Dave
Hi Dave, > My policy is to exactly follow Red Hat's releases in EL8. I think that's pretty fair... and yup, it's probably fair that anything about CVEs that aren't specific to EPEL7 is something I should raise on the other packages... arguing for everything being more up-to-date on those and rolling down, rather than have a situation where EPEL7 is ahead of everything else. > Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level. That'd be great at this point. Cheers, DT
Note that 1.18.4 has equivalent CVE fixes as 1.17.12 so upgrading to the level of EL8 does not solve any new CVEs (for a change). That's probably why I didn't see any announcements about RHEL8 upgrading golang. All the outstanding CVEs are medium or lower so I assume that's why Red Hat did not build a newer version.
FEDORA-EPEL-2022-96dbad9cd3 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.