SUSE-CU-2023:3785-1: Security update of bci/golang

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Nov 21 16:17:42 UTC 2023 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3785-1
Container Tags        : bci/golang:1.20-openssl , bci/golang:1.20-openssl-8.2 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-8.2
Container Release     : 8.2
Severity              : important
Type                  : security
References            : 1206346 1206346 1206346 1213229 1213880 1215084 1215085 1215090
                        1215985 1216109 1216943 1216944 CVE-2023-29406 CVE-2023-29409
                        CVE-2023-39318 CVE-2023-39319 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487
                        CVE-2023-45283 CVE-2023-45284 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2023:2601-1
Released:    Wed Jun 21 15:42:34 2023
Summary:     Optional update for go1.20-openssl
Type:        optional
Severity:    moderate
References:  
This update for go1.20-openssl fixes the following issues:

This update delivers a go1.20 1.20.5.2 package built with its cryptography
using the system openssl library. (jsc#SLE-18320 jsc#PED-1962)

This allows GO binaries built with go1.20-openssl to be operating in FIPS 140-2/3 mode.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3002-1
Released:    Thu Jul 27 12:38:13 2023
Summary:     Security update for go1.20-openssl
Type:        security
Severity:    moderate
References:  1206346,1213229,CVE-2023-29406
This update for go1.20-openssl fixes the following issues:

  Update to version 1.20.6.1 (bsc#1206346):

  - CVE-2023-29406: Fixed insufficient sanitization of Host header (bsc#1213229).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3840-1
Released:    Wed Sep 27 19:34:42 2023
Summary:     Security update for go1.20-openssl
Type:        security
Severity:    important
References:  1206346,1213880,1215084,1215085,1215090,CVE-2023-29409,CVE-2023-39318,CVE-2023-39319
This update for go1.20-openssl fixes the following issues:

Update to version 1.20.8 (bsc#1206346).

- CVE-2023-29409: Fixed unrestricted RSA keys in certificates (bsc#1213880).
- CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085).
- CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts (bsc#1215084).

The following non-security bug was fixed:

- Add missing directory pprof html asset directory to package (bsc#1215090).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4472-1
Released:    Thu Nov 16 19:01:27 2023
Summary:     Security update for go1.20-openssl
Type:        security
Severity:    important
References:  1206346,1215985,1216109,1216943,1216944,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284
This update for go1.20-openssl fixes the following issues:

Update to version 1.20.11.1 cut from the go1.20-openssl-fips
branch at the revision tagged go1.20.11-1-openssl-fips.

* Update to go1.20.11


go1.20.11 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker and the
net/http package.

* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* cmd/link: split text sections for arm 32-bit
* net/http: http2 page fails on firefox/safari if pushing resources


Update to version 1.20.10.1 cut from the go1.20-openssl-fips
branch at the revision tagged go1.20.10-1-openssl-fips.

* Update to go1.20.10


go1.20.10 (released 2023-10-10) includes a security fix to the
net/http package.

* security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (bsc#1216109)

  
go1.20.9 (released 2023-10-05) includes one security fixes to the
cmd/go package, as well as bug fixes to the go command and the
linker.

* security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (bsc#1215985)
* cmd/link: issues with Apple's new linker in Xcode 15 beta


The following package changes have been done:

- go1.20-openssl-doc-1.20.11.1-150000.1.14.1 added
- go1.20-openssl-1.20.11.1-150000.1.14.1 added
- go1.20-openssl-race-1.20.11.1-150000.1.14.1 added
- go1.19-openssl-1.19.13.1-150000.1.8.1 removed
- go1.19-openssl-doc-1.19.13.1-150000.1.8.1 removed
- go1.19-openssl-race-1.19.13.1-150000.1.8.1 removed

More information about the sle-security-updates mailing list