SUSE-CU-2024:890-1: Security update of bci/golang

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:890-1
Container Tags        : bci/golang:1.21 , bci/golang:1.21-2.2.25 , bci/golang:oldstable , bci/golang:oldstable-2.2.25
Container Release     : 2.25
Severity              : important
Type                  : security
References            : 1212475 1212475 1219988 1220385 1220999 1221000 1221001 1221002
                        1221003 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784
                        CVE-2024-24785 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:734-1
Released:    Thu Feb 29 13:16:38 2024
Summary:     Recommended update for go1.21
Type:        recommended
Severity:    moderate
References:  1212475
This update for go1.21 fixes the following issues:

go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.

  (bsc#1212475 go1.21 release tracking)

* go#63209 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21
* go#63768 runtime: pinner.Pin doesn't panic when it says it will
* go#64497 cmd/go: flag modcacherw does not take effect in the target package
* go#64761 staticlockranking builders failing on release branches on LUCI
* go#64935 runtime: 'traceback: unexpected SPWRITE function runtime.systemstack'
* go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
* go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
* go#65323 crypto: rollback BoringCrypto fips-20220613 update
* go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
* go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:766-1
Released:    Tue Mar  5 13:50:28 2024
Summary:     Recommended update for libssh
Type:        recommended
Severity:    important
References:  1220385
This update for libssh fixes the following issues:

- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:811-1
Released:    Fri Mar  8 08:43:12 2024
Summary:     Security update for go1.21
Type:        security
Severity:    important
References:  1212475,1219988,1220999,1221000,1221001,1221002,1221003,CVE-2023-45289,CVE-2023-45290,CVE-2024-24783,CVE-2024-24784,CVE-2024-24785
This update for go1.21 fixes the following issues:

- Upgrade go to version 1.21.8
- CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (bsc#1221000)
- CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm (bsc#1221001)
- CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm (bsc#1220999)
- CVE-2024-24784: net/mail: comments in display names are incorrectly handled (bsc#1221002)
- CVE-2024-24785: html/template: errors returned from MarshalJSON methods may break template escaping (bsc#1221003)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.6.1 updated
- libssh4-0.9.8-150400.3.6.1 updated
- go1.21-doc-1.21.8-150000.1.27.1 updated
- go1.21-1.21.8-150000.1.27.1 updated
- go1.21-race-1.21.8-150000.1.27.1 updated
- container:sles15-image-15.0.0-36.11.10 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 removed
- cpio-2.13-150400.3.6.1 removed
- cracklib-2.9.7-11.6.1 removed
- cracklib-dict-small-2.9.7-11.6.1 removed
- diffutils-3.6-4.3.1 removed
- fillup-1.42-2.18 removed
- findutils-4.8.0-1.20 removed
- grep-3.1-150000.4.6.1 removed
- gzip-1.10-150200.10.1 removed
- libaudit1-3.0.6-150400.4.13.1 removed
- libblkid1-2.37.4-150500.9.3.1 removed
- libcap-ng0-0.7.9-4.37 removed
- libcrack2-2.9.7-11.6.1 removed
- libdw1-0.185-150400.5.3.1 removed
- libeconf0-0.5.2-150400.3.6.1 removed
- libelf1-0.185-150400.5.3.1 removed
- libfdisk1-2.37.4-150500.9.3.1 removed
- libgcrypt20-1.9.4-150500.10.19 removed
- libgcrypt20-hmac-1.9.4-150500.10.19 removed
- libgpg-error0-1.42-150400.1.101 removed
- liblua5_3-5-5.3.6-3.6.1 removed
- liblz4-1-1.9.3-150400.1.7 removed
- libmount1-2.37.4-150500.9.3.1 removed
- libnsl2-1.2.0-2.44 removed
- libpopt0-1.16-3.22 removed
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed
- libsmartcols1-2.37.4-150500.9.3.1 removed
- libsystemd0-249.17-150400.8.40.1 removed
- libtirpc-netconfig-1.3.4-150300.3.23.1 removed
- libtirpc3-1.3.4-150300.3.23.1 removed
- libutempter0-1.1.6-3.42 removed
- libuuid1-2.37.4-150500.9.3.1 removed
- libxml2-2-2.10.3-150500.5.14.1 removed
- login_defs-4.8.1-150400.10.12.1 removed
- ncurses-utils-6.1-150000.5.20.1 removed
- pam-1.3.0-150000.6.66.1 removed
- perl-base-5.26.1-150300.17.14.1 removed
- permissions-20201225-150400.5.16.1 removed
- rpm-config-SUSE-1-150400.14.3.1 removed
- rpm-ndb-4.14.3-150400.59.7.1 removed
- sed-4.4-11.6 removed
- shadow-4.8.1-150400.10.12.1 removed
- sles-release-15.5-150500.43.4 removed
- system-group-hardware-20170617-150400.24.2.1 removed
- sysuser-shadow-3.2-150400.3.5.3 removed
- tar-1.34-150000.3.34.1 removed
- timezone-2023c-150000.75.23.1 removed
- util-linux-2.37.4-150500.9.3.1 removed