SUSE-CU-2023:3785-1: Security update of bci/golang
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Nov 21 16:17:42 UTC 2023
SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3785-1
Container Tags : bci/golang:1.20-openssl , bci/golang:1.20-openssl-8.2 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-8.2
Container Release : 8.2
Severity : important
Type : security
References : 1206346 1206346 1206346 1213229 1213880 1215084 1215085 1215090
1215985 1216109 1216943 1216944 CVE-2023-29406 CVE-2023-29409
CVE-2023-39318 CVE-2023-39319 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487
CVE-2023-45283 CVE-2023-45284
-----------------------------------------------------------------
The container bci/golang was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2023:2601-1
Released: Wed Jun 21 15:42:34 2023
Summary: Optional update for go1.20-openssl
Type: optional
Severity: moderate
References:
This update for go1.20-openssl fixes the following issues:
This update delivers a go1.20 1.20.5.2 package built with its cryptography
using the system openssl library. (jsc#SLE-18320 jsc#PED-1962)
This allows GO binaries built with go1.20-openssl to be operating in FIPS 140-2/3 mode.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3002-1
Released: Thu Jul 27 12:38:13 2023
Summary: Security update for go1.20-openssl
Type: security
Severity: moderate
References: 1206346,1213229,CVE-2023-29406
This update for go1.20-openssl fixes the following issues:
Update to version 1.20.6.1 (bsc#1206346):
- CVE-2023-29406: Fixed insufficient sanitization of Host header (bsc#1213229).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3840-1
Released: Wed Sep 27 19:34:42 2023
Summary: Security update for go1.20-openssl
Type: security
Severity: important
References: 1206346,1213880,1215084,1215085,1215090,CVE-2023-29409,CVE-2023-39318,CVE-2023-39319
This update for go1.20-openssl fixes the following issues:
Update to version 1.20.8 (bsc#1206346).
- CVE-2023-29409: Fixed unrestricted RSA keys in certificates (bsc#1213880).
- CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085).
- CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts (bsc#1215084).
The following non-security bug was fixed:
- Add missing directory pprof html asset directory to package (bsc#1215090).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4472-1
Released: Thu Nov 16 19:01:27 2023
Summary: Security update for go1.20-openssl
Type: security
Severity: important
References: 1206346,1215985,1216109,1216943,1216944,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284
This update for go1.20-openssl fixes the following issues:
Update to version 1.20.11.1 cut from the go1.20-openssl-fips
branch at the revision tagged go1.20.11-1-openssl-fips.
* Update to go1.20.11
go1.20.11 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker and the
net/http package.
* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* cmd/link: split text sections for arm 32-bit
* net/http: http2 page fails on firefox/safari if pushing resources
Update to version 1.20.10.1 cut from the go1.20-openssl-fips
branch at the revision tagged go1.20.10-1-openssl-fips.
* Update to go1.20.10
go1.20.10 (released 2023-10-10) includes a security fix to the
net/http package.
* security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (bsc#1216109)
go1.20.9 (released 2023-10-05) includes one security fixes to the
cmd/go package, as well as bug fixes to the go command and the
linker.
* security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (bsc#1215985)
* cmd/link: issues with Apple's new linker in Xcode 15 beta
The following package changes have been done:
- go1.20-openssl-doc-1.20.11.1-150000.1.14.1 added
- go1.20-openssl-1.20.11.1-150000.1.14.1 added
- go1.20-openssl-race-1.20.11.1-150000.1.14.1 added
- go1.19-openssl-1.19.13.1-150000.1.8.1 removed
- go1.19-openssl-doc-1.19.13.1-150000.1.8.1 removed
- go1.19-openssl-race-1.19.13.1-150000.1.8.1 removed
More information about the sle-security-updates
mailing list