SUSE-CU-2023:3786-1: Security update of bci/golang

sle-security-updates at sle-security-updates at
Tue Nov 21 16:17:47 UTC 2023

SUSE Container Update Advisory: bci/golang
Container Advisory ID : SUSE-CU-2023:3786-1
Container Tags        : bci/golang:1.21-openssl , bci/golang:1.21-openssl-8.2 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-8.2
Container Release     : 8.2
Severity              : moderate
Type                  : security
References            : 1212475 1212667 1212669 1215084 1215085 1215086 1215087 1215090
                        1215985 1216109 1216943 1216944 CVE-2023-39318 CVE-2023-39319
                        CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 CVE-2023-39323 CVE-2023-39325
                        CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 

The container bci/golang was updated. The following patches have been included in this update:

Advisory ID: SUSE-SU-2023:4469-1
Released:    Thu Nov 16 18:59:45 2023
Summary:     Security update for go1.21-openssl
Type:        security
Severity:    moderate
References:  1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109,1216943,1216944,CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284
This update for go1.21-openssl fixes the following issues:

Update to version cut from the go1.21-openssl-fips
branch at the revision tagged go1.21.4-1-openssl-fips.

* Update to go1.21.4

go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.

* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* spec: update unification rules
* cmd/compile: internal compiler error: expected struct value to have type struct
* cmd/link: split text sections for arm 32-bit
* runtime: MADV_COLLAPSE causes production performance issues on Linux
* go/types, x/tools/go/ssa: panic: type param without replacement encountered
* cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* net/http: http2 page fails on firefox/safari if pushing resources

Initial package go1.21-openssl version cut from the
go1.21-openssl-fips branch at the revision tagged
go1.21.3-1-openssl-fips.  (jsc#SLE-18320)

* Go upstream merged branch dev.boringcrypto in go1.19+.
* In go1.x enable BoringCrypto via GOEXPERIMENT=boringcrypto.
* In go1.x-openssl enable FIPS mode (or boring mode as the
  package is named) either via an environment variable
  GOLANG_FIPS=1 or by virtue of booting the host in FIPS mode.
* When the operating system is operating in FIPS mode, Go
  applications which import crypto/tls/fipsonly limit operations
  to the FIPS ciphersuite.
* go1.x-openssl is delivered as two large patches to go1.x
  applying necessary modifications from the golang-fips/go GitHub
  project for the Go crypto library to use OpenSSL as the
  external cryptographic library in a FIPS compliant way.
* go1.x-openssl modifies the crypto/* packages to use OpenSSL for
  cryptographic operations.
* go1.x-openssl uses dlopen() to call into OpenSSL.
* SUSE RPM packaging introduces a fourth version digit go1.x.y.z
  corresponding to the golang-fips/go patchset tagged revision.
* Patchset improvements can be updated independently of upstream
  Go maintenance releases.

The following package changes have been done:

- go1.21-openssl-doc- added
- go1.21-openssl- added
- go1.21-openssl-race- added
- go1.20-openssl- removed
- go1.20-openssl-doc- removed
- go1.20-openssl-race- removed

More information about the sle-security-updates mailing list