SUSE-CU-2023:3786-1: Security update of bci/golang
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Nov 21 16:17:47 UTC 2023
SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3786-1
Container Tags : bci/golang:1.21-openssl , bci/golang:1.21-openssl-8.2 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-8.2
Container Release : 8.2
Severity : moderate
Type : security
References : 1212475 1212667 1212669 1215084 1215085 1215086 1215087 1215090
1215985 1216109 1216943 1216944 CVE-2023-39318 CVE-2023-39319
CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 CVE-2023-39323 CVE-2023-39325
CVE-2023-44487 CVE-2023-45283 CVE-2023-45284
-----------------------------------------------------------------
The container bci/golang was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4469-1
Released: Thu Nov 16 18:59:45 2023
Summary: Security update for go1.21-openssl
Type: security
Severity: moderate
References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109,1216943,1216944,CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284
This update for go1.21-openssl fixes the following issues:
Update to version 1.21.4.1 cut from the go1.21-openssl-fips
branch at the revision tagged go1.21.4-1-openssl-fips.
* Update to go1.21.4
go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.
* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* spec: update unification rules
* cmd/compile: internal compiler error: expected struct value to have type struct
* cmd/link: split text sections for arm 32-bit
* runtime: MADV_COLLAPSE causes production performance issues on Linux
* go/types, x/tools/go/ssa: panic: type param without replacement encountered
* cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* net/http: http2 page fails on firefox/safari if pushing resources
Initial package go1.21-openssl version 1.21.3.1 cut from the
go1.21-openssl-fips branch at the revision tagged
go1.21.3-1-openssl-fips. (jsc#SLE-18320)
* Go upstream merged branch dev.boringcrypto in go1.19+.
* In go1.x enable BoringCrypto via GOEXPERIMENT=boringcrypto.
* In go1.x-openssl enable FIPS mode (or boring mode as the
package is named) either via an environment variable
GOLANG_FIPS=1 or by virtue of booting the host in FIPS mode.
* When the operating system is operating in FIPS mode, Go
applications which import crypto/tls/fipsonly limit operations
to the FIPS ciphersuite.
* go1.x-openssl is delivered as two large patches to go1.x
applying necessary modifications from the golang-fips/go GitHub
project for the Go crypto library to use OpenSSL as the
external cryptographic library in a FIPS compliant way.
* go1.x-openssl modifies the crypto/* packages to use OpenSSL for
cryptographic operations.
* go1.x-openssl uses dlopen() to call into OpenSSL.
* SUSE RPM packaging introduces a fourth version digit go1.x.y.z
corresponding to the golang-fips/go patchset tagged revision.
* Patchset improvements can be updated independently of upstream
Go maintenance releases.
The following package changes have been done:
- go1.21-openssl-doc-1.21.4.1-150000.1.5.1 added
- go1.21-openssl-1.21.4.1-150000.1.5.1 added
- go1.21-openssl-race-1.21.4.1-150000.1.5.1 added
- go1.20-openssl-1.20.11.1-150000.1.14.1 removed
- go1.20-openssl-doc-1.20.11.1-150000.1.14.1 removed
- go1.20-openssl-race-1.20.11.1-150000.1.14.1 removed
More information about the sle-security-updates
mailing list