Bug 2149668 - Please update EPEL7 golang to 1.18 / 1.19
Summary: Please update EPEL7 golang to 1.18 / 1.19
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: golang
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Dave Dykstra
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-30 14:46 UTC by David Trudgian
Modified: 2022-12-09 12:28 UTC (History)
10 users (show)

Fixed In Version: golang-1.18.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-12-09 01:31:31 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description David Trudgian 2022-11-30 14:46:55 UTC
Description of problem:

The version of golang in EPEL7 is currently 1.17.12

1.17.x has fallen out of upstream support, and is not receiving any security fixes from upstream. There are a number of CVE related bugzilla entries:

#2126630 #2126657 #2132874 #2132876 #213878 #2113816

In addition, various popular Go modules often support only the latest two upstream versions of Go, which eventually causes issues building software with older versions of Go.

Version-Release number of selected component (if applicable): 1.17.12


How reproducible: Always


Steps to Reproduce:
1. yum install golang

Actual results:

Version 1.17.12 is installed.


Expected results:

Preferably, a 1.18 / 1.19 version is installed that includes the security fixes from upstream. 

Alternatively, security backports are made to the EPEL7 version of Go.

Additional info:

Comment 1 Dave Dykstra 2022-11-30 19:18:22 UTC
Hi DT,

I own the golang for EPEL7, because it was getting much further behind than it is now.

My policy is to exactly follow Red Hat's releases in EL8.  In fact I base it almost completely on the centos8-stream rpm .spec files.  So if you want EPEL7 updated, convince Red Hat to update EL8.  Usually they only update it at major 8.X releases or if their is a CVE of significant enough severity. In any case I don't see any point in having EPEL7 ahead of EL8.

Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level.  I don't know how I missed that, although there is a ton of golang email that flies by and most of it isn't relevant.  I do try to look for the tickets that say they apply to EL8 though.  It has only been at most 22 days so I didn't miss it by much:

https://git.centos.org/rpms/golang/history/SPECS/golang.spec?identifier=c8-stream-rhel8

Ah, that corresponds to the release of RHEL 8.7.  Very good.

Dave

Comment 2 David Trudgian 2022-11-30 20:07:21 UTC
Hi Dave,

> My policy is to exactly follow Red Hat's releases in EL8.

I think that's pretty fair... and yup, it's probably fair that anything about CVEs that aren't specific to EPEL7 is something I should raise on the other packages... arguing for everything being more up-to-date on those and rolling down, rather than have a situation where EPEL7 is ahead of everything else.

> Having said that, thanks for the ticket, because it looks like EL8 did get updated to 1.18.4, so I will update EPEL7 to that level. 

That'd be great at this point.

Cheers,

DT

Comment 3 Dave Dykstra 2022-11-30 21:28:46 UTC
Note that 1.18.4 has equivalent CVE fixes as 1.17.12 so upgrading to the level of EL8 does not solve any new CVEs (for a change).  That's probably why I didn't see any announcements about RHEL8 upgrading golang.  All the outstanding CVEs are medium or lower so I assume that's why Red Hat did not build a newer version.

Comment 4 Fedora Update System 2022-11-30 21:35:29 UTC
FEDORA-EPEL-2022-96dbad9cd3 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3

Comment 5 Fedora Update System 2022-12-01 02:39:55 UTC
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-12-09 01:31:31 UTC
FEDORA-EPEL-2022-96dbad9cd3 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.