Vulnerability from csaf_suse
Published
2023-03-14 17:07
Modified
2023-03-14 17:07
Summary
Security update for go1.20
Notes
Title of the patch
Security update for go1.20
Description of the patch
This update for go1.20 fixes the following issues:
- Improvements to go1.x packaging spec:
* On Tumbleweed bootstrap with current default gcc13 and gccgo118
* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
using go1.x package (%bcond_without gccgo). This is no longer
needed on current SLE-12:Update and removing will consolidate
the build configurations used.
* Change source URLs to go.dev as per Go upstream
* On x86_64 export GOAMD64=v1 as per the current baseline.
At this time forgo GOAMD64=v3 option for x86_64_v3 support.
* On x86_64 %define go_amd64=v1 as current instruction baseline
* In %check on x86_64 use value %go_amd64=v1 as GOAMD64=v1 to
grep correct TSAN version is checked out from LLVM with new
spelling for internal/amd64v1/race_linux.syso
go1.20.2 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the compiler,
the covdata command, the linker, the runtime, and the
crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. (boo#1206346)
* CVE-2023-24532: crypto/elliptic: Fixed that specific unreduced P-256 scalars produce incorrect results (boo#1209030)
* cmd/covdata: short read on string table when merging coverage counters
* runtime: some linkname signatures do not match
* cmd/compile: inline static init cause compile time error
* cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry
* crypto/ecdh: ECDH method doesn't check curve
* cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
* crypto/internal/bigmod: flag amd64 assembly as noescape
* runtime: endless traceback when panic in generics funtion
* runtime: long latency of sweep assists
* syscall.Faccessat and os.LookPath regression in Go 1.20
* os: cmd/go gets error 'copy_file_range: function not implemented'
* net: TestTCPSelfConnect failures due to unexpected connections
* syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
* cmd/compile: ICE on method value involving imported anonymous interface
* crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey
* crypto/x509: TestSystemVerify consistently failing
go1.20.1 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the time package. (bsc#1206346)
- CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
* bsc#1208269 security: fix CVE-2022-41722 path/filepath: path traversal in filepath.Clean on Windows
* bsc#1208270 security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding
* bsc#1208271 security: fix CVE-2022-41724 crypto/tls: large handshake records may cause panics
* bsc#1208272 security: fix CVE-2022-41725 net/http, mime/multipart: denial of service from excessive resource consumption
* time: update zoneinfo_abbrs on Windows
* cmd/link: .go.buildinfo is gc'ed by --gc-sections
* cmd/compile/internal/pgo: Detect sample value position instead of hard-coding
* cmd/compile: constant overflows when assigned to package level var (Go 1.20 regression)
* cmd/compile: internal compiler error: panic: interface conversion: ir.Node is *ir.CompLitExpr, not *ir.Name
* cmd/compile: internal compiler error: Type.Elem UNION
* runtime: GOOS=ios fails Apple's app validation due to use of private API
* cmd/go/internal/test: stale flagdefs.go not detected by tests
* all: test failures with ETXTBSY
* cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing
- go1.20 (released 2023-02-01) is a major release of Go.
go1.20.x minor releases will be provided through February 2024.
https://github.com/golang/go/wiki/Go-Release-Cycle
go1.20 arrives six months after go1.19. Most of its changes are
in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before. ( bsc#1206346 jsc#PED-1962 )
* Go 1.20 includes four changes to the language
* Language change: Go 1.17 added conversions from slice to an
array pointer. Go 1.20 extends this to allow conversions from a
slice to an array
* Language change: The unsafe package defines three new functions
SliceData, String, and StringData. Along with Go 1.17's Slice,
these functions now provide the complete ability to construct
and deconstruct slice and string values, without depending on
their exact representation.
* Language change: The specification now defines that struct
values are compared one field at a time, considering fields in
the order they appear in the struct type definition, and
stopping at the first mismatch. The specification could
previously have been read as if all fields needed to be
compared beyond the first mismatch. Similarly, the
specification now defines that array values are compared one
element at a time, in increasing index order. In both cases,
the difference affects whether certain comparisons must
panic. Existing programs are unchanged: the new spec wording
describes what the implementations have always done.
* Language change: Comparable types (such as ordinary interfaces)
may now satisfy comparable constraints, even if the type
arguments are not strictly comparable (comparison may panic at
runtime). This makes it possible to instantiate a type
parameter constrained by comparable (e.g., a type parameter for
a user-defined generic map key) with a non-strictly comparable
type argument such as an interface type, or a composite type
containing an interface type.
* go command: The directory $GOROOT/pkg no longer stores
pre-compiled package archives for the standard library: go
install no longer writes them, the go build no longer checks
for them, and the Go distribution no longer ships
them. Instead, packages in the standard library are built as
needed and cached in the build cache, just like packages
outside GOROOT. This change reduces the size of the Go
distribution and also avoids C toolchain skew for packages that
use cgo. Refs jsc#PED-1962
* go command: The implementation of go test -json has been
improved to make it more robust. Programs that run go test
-json do not need any updates. Programs that invoke go tool
test2json directly should now run the test binary with
-v=test2json (for example, go test -v=test2json or ./pkg.test
-test.v=test2json) instead of plain -v.
* go command: A related change to go test -json is the addition
of an event with Action set to start at the beginning of each
test program's execution. When running multiple tests using the
go command, these start events are guaranteed to be emitted in
the same order as the packages named on the command line.
* go command: The go command now defines architecture feature
build tags, such as amd64.v2, to allow selecting a package
implementation file based on the presence or absence of a
particular architecture feature. See go help buildconstraint
for details.
* go command: The go subcommands now accept -C <dir> to change
directory to <dir> before performing the command, which may be
useful for scripts that need to execute commands in multiple
different modules.
* go command: The go build and go test commands no longer accept
the -i flag, which has been deprecated since Go 1.16.
* go command: The go generate command now accepts -skip <pattern>
to skip //go:generate directives matching <pattern>.
* go command: The go test command now accepts -skip <pattern> to
skip tests, subtests, or examples matching <pattern>.
* go command: When the main module is located within GOPATH/src,
go install no longer installs libraries for non-main packages
to GOPATH/pkg, and go list no longer reports a Target field for
such packages. (In module mode, compiled packages are stored in
the build cache only, but a bug had caused the GOPATH install
targets to unexpectedly remain in effect.)
* go command: The go build, go install, and other build-related
commands now support a -pgo flag that enables profile-guided
optimization, which is described in more detail in the Compiler
section below. The -pgo flag specifies the file path of the
profile. Specifying -pgo=auto causes the go command to search
for a file named default.pgo in the main package's directory
and use it if present. This mode currently requires a single
main package to be specified on the command line, but we plan
to lift this restriction in a future release. Specifying
-pgo=off turns off profile-guided optimization.
* go command: The go build, go install, and other build-related
commands now support a -cover flag that builds the specified
target with code coverage instrumentation. This is described in
more detail in the Cover section below.
* go version: The go version -m command now supports reading more
types of Go binaries, most notably, Windows DLLs built with go
build -buildmode=c-shared and Linux binaries without execute
permission.
* Cgo: The go command now disables cgo by default on systems
without a C toolchain. More specifically, when the CGO_ENABLED
environment variable is unset, the CC environment variable is
unset, and the default C compiler (typically clang or gcc) is
not found in the path, CGO_ENABLED defaults to 0. As always,
you can override the default by setting CGO_ENABLED explicitly.
The most important effect of the default change is that when Go
is installed on a system without a C compiler, it will now use
pure Go builds for packages in the standard library that use
cgo, instead of using pre-distributed package archives (which
have been removed, as noted above) or attempting to use cgo and
failing. This makes Go work better in some minimal container
environments as well as on macOS, where pre-distributed package
archives have not been used for cgo-based packages since Go
1.16.
The packages in the standard library that use cgo are net,
os/user, and plugin. On macOS, the net and os/user packages
have been rewritten not to use cgo: the same code is now used
for cgo and non-cgo builds as well as cross-compiled builds. On
Windows, the net and os/user packages have never used cgo. On
other systems, builds with cgo disabled will use a pure Go
version of these packages.
On macOS, the race detector has been rewritten not to use cgo:
race-detector-enabled programs can be built and run without
Xcode. On Linux and other Unix systems, and on Windows, a host
C toolchain is required to use the race detector.
* go cover: Go 1.20 supports collecting code coverage profiles
for programs (applications and integration tests), as opposed
to just unit tests. To collect coverage data for a program,
build it with go build's -cover flag, then run the resulting
binary with the environment variable GOCOVERDIR set to an
output directory for coverage profiles. See the 'coverage for
integration tests' landing page for more on how to get
started. For details on the design and implementation, see the
proposal.
* go vet: Improved detection of loop variable capture by nested
functions. The vet tool now reports references to loop
variables following a call to T.Parallel() within subtest
function bodies. Such references may observe the value of the
variable from a different iteration (typically causing test
cases to be skipped) or an invalid state due to unsynchronized
concurrent access.
* go vet: The tool also detects reference mistakes in more
places. Previously it would only consider the last statement
of the loop body, but now it recursively inspects the last
statements within if, switch, and select statements.
* go vet: New diagnostic for incorrect time formats. The vet tool
now reports use of the time format 2006-02-01 (yyyy-dd-mm) with
Time.Format and time.Parse. This format does not appear in
common date standards, but is frequently used by mistake when
attempting to use the ISO 8601 date format (yyyy-mm-dd).
* Runtime: Some of the garbage collector's internal data
structures were reorganized to be both more space and CPU
efficient. This change reduces memory overheads and improves
overall CPU performance by up to 2%.
* Runtime: The garbage collector behaves less erratically with
respect to goroutine assists in some circumstances.
* Runtime: Go 1.20 adds a new runtime/coverage package containing
APIs for writing coverage profile data at runtime from
long-running and/or server programs that do not terminate via
os.Exit().
* Compiler: Go 1.20 adds preview support for profile-guided
optimization (PGO). PGO enables the toolchain to perform
application- and workload-specific optimizations based on
run-time profile information. Currently, the compiler supports
pprof CPU profiles, which can be collected through usual means,
such as the runtime/pprof or net/http/pprof packages. To enable
PGO, pass the path of a pprof profile file via the -pgo flag to
go build, as mentioned above. Go 1.20 uses PGO to more
aggressively inline functions at hot call sites. Benchmarks for
a representative set of Go programs show enabling
profile-guided inlining optimization improves performance about
3–4%. See the PGO user guide for detailed documentation. We
plan to add more profile-guided optimizations in future
releases. Note that profile-guided optimization is a preview,
so please use it with appropriate caution.
* Compiler: The Go 1.20 compiler upgraded its front-end to use a
new way of handling the compiler's internal data, which fixes
several generic-types issues and enables type declarations
within generic functions and methods.
* Compiler: The compiler now rejects anonymous interface cycles
with a compiler error by default. These arise from tricky uses
of embedded interfaces and have always had subtle correctness
issues, yet we have no evidence that they're actually used in
practice. Assuming no reports from users adversely affected by
this change, we plan to update the language specification for
Go 1.22 to formally disallow them so tools authors can stop
supporting them too.
* Compiler: Go 1.18 and 1.19 saw regressions in build speed,
largely due to the addition of support for generics and
follow-on work. Go 1.20 improves build speeds by up to 10%,
bringing it back in line with Go 1.17. Relative to Go 1.19,
generated code performance is also generally slightly improved.
* Linker: On Linux, the linker now selects the dynamic
interpreter for glibc or musl at link time.
* Linker: On Windows, the Go linker now supports modern
LLVM-based C toolchains.
* Linker: Go 1.20 uses go: and type: prefixes for
compiler-generated symbols rather than go. and type.. This
avoids confusion for user packages whose name starts with
go.. The debug/gosym package understands this new naming
convention for binaries built with Go 1.20 and newer.
* Bootstrap: When building a Go release from source and
GOROOT_BOOTSTRAP is not set, previous versions of Go looked for
a Go 1.4 or later bootstrap toolchain in the directory
$HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go 1.18
and Go 1.19 looked first for $HOME/go1.17 or $HOME/sdk/go1.17
before falling back to $HOME/go1.4, in anticipation of
requiring Go 1.17 for use when bootstrapping Go 1.20. Go 1.20
does require a Go 1.17 release for bootstrapping, but we
realized that we should adopt the latest point release of the
bootstrap toolchain, so it requires Go 1.17.13. Go 1.20 looks
for $HOME/go1.17.13 or $HOME/sdk/go1.17.13 before falling back
to $HOME/go1.4 (to support systems that hard-coded the path
$HOME/go1.4 but have installed a newer Go toolchain there). In
the future, we plan to move the bootstrap toolchain forward
approximately once a year, and in particular we expect that Go
1.22 will require the final point release of Go 1.20 for
bootstrap.
* Library: Go 1.20 adds a new crypto/ecdh package to provide
explicit support for Elliptic Curve Diffie-Hellman key
exchanges over NIST curves and Curve25519. Programs should use
crypto/ecdh instead of the lower-level functionality in
crypto/elliptic for ECDH, and third-party modules for more
advanced use cases.
* Error handling: Go 1.20 expands support for error wrapping to
permit an error to wrap multiple other errors.
* Error handling: An error e can wrap more than one error by
providing an Unwrap method that returns a []error.
* Error handling: The errors.Is and errors.As functions have been
updated to inspect multiply wrapped errors.
* Error handling: The fmt.Errorf function now supports multiple
occurrences of the %w format verb, which will cause it to
return an error that wraps all of those error operands.
* Error handling: The new function errors.Join returns an error
wrapping a list of errors.
* HTTP ResponseController: The new 'net/http'.ResponseController
type provides access to extended per-request functionality not
handled by the 'net/http'.ResponseWriter interface. The
ResponseController type provides a clearer, more discoverable
way to add per-handler controls. Two such controls also added
in Go 1.20 are SetReadDeadline and SetWriteDeadline, which
allow setting per-request read and write deadlines.
* New ReverseProxy Rewrite hook: The httputil.ReverseProxy
forwarding proxy includes a new Rewrite hook function,
superseding the previous Director hook.
* archive/tar: When the GODEBUG=tarinsecurepath=0 environment
variable is set, Reader.Next method will now return the error
ErrInsecurePath for an entry with a file name that is an
absolute path, refers to a location outside the current
directory, contains invalid characters, or (on Windows) is a
reserved name such as NUL. A future version of Go may disable
insecure paths by default.
* archive/zip: When the GODEBUG=zipinsecurepath=0 environment
variable is set, NewReader will now return the error
ErrInsecurePath when opening an archive which contains any file
name that is an absolute path, refers to a location outside the
current directory, contains invalid characters, or (on Windows)
is a reserved names such as NUL. A future version of Go may
disable insecure paths by default.
* archive/zip: Reading from a directory file that contains file
data will now return an error. The zip specification does not
permit directory files to contain file data, so this change
only affects reading from invalid archives.
* bytes: The new CutPrefix and CutSuffix functions are like
TrimPrefix and TrimSuffix but also report whether the string
was trimmed.
* bytes: The new Clone function allocates a copy of a byte slice.
* context: The new WithCancelCause function provides a way to
cancel a context with a given error. That error can be
retrieved by calling the new Cause function.
* crypto/ecdsa: When using supported curves, all operations are
now implemented in constant time. This led to an increase in
CPU time between 5% and 30%, mostly affecting P-384 and P-521.
* crypto/ecdsa: The new PrivateKey.ECDH method converts an
ecdsa.PrivateKey to an ecdh.PrivateKey.
* crypto/ed25519: The PrivateKey.Sign method and the
VerifyWithOptions function now support signing pre-hashed
messages with Ed25519ph, indicated by an Options.HashFunc that
returns crypto.SHA512. They also now support Ed25519ctx and
Ed25519ph with context, indicated by setting the new
Options.Context field.
* crypto/rsa: The new field OAEPOptions.MGFHash allows
configuring the MGF1 hash separately for OAEP decryption.
* crypto/rsa: crypto/rsa now uses a new, safer, constant-time
backend. This causes a CPU runtime increase for decryption
operations between approximately 15% (RSA-2048 on amd64) and
45% (RSA-4096 on arm64), and more on 32-bit
architectures. Encryption operations are approximately 20x
slower than before (but still 5-10x faster than
decryption). Performance is expected to improve in future
releases. Programs must not modify or manually generate the
fields of PrecomputedValues.
* crypto/subtle: The new function XORBytes XORs two byte slices
together.
* crypto/tls: Parsed certificates are now shared across all
clients actively using that certificate. The memory savings can
be significant in programs that make many concurrent
connections to a server or collection of servers sharing any
part of their certificate chains.
* crypto/tls: For a handshake failure due to a certificate
verification failure, the TLS client and server now return an
error of the new type CertificateVerificationError, which
includes the presented certificates.
* crypto/x509: ParsePKCS8PrivateKey and MarshalPKCS8PrivateKey
now support keys of type *crypto/ecdh.PrivateKey.
ParsePKIXPublicKey and MarshalPKIXPublicKey now support keys of
type *crypto/ecdh.PublicKey. Parsing NIST curve keys still
returns values of type *ecdsa.PublicKey and *ecdsa.PrivateKey.
Use their new ECDH methods to convert to the crypto/ecdh types.
* crypto/x509: The new SetFallbackRoots function allows a program
to define a set of fallback root certificates in case an
operating system verifier or standard platform root bundle is
unavailable at runtime. It will most commonly be used with a
new package, golang.org/x/crypto/x509roots/fallback, which will
provide an up to date root bundle.
* debug/elf: Attempts to read from a SHT_NOBITS section using
Section.Data or the reader returned by Section.Open now return
an error.
* debug/elf: Additional R_LARCH_* constants are defined for use
with LoongArch systems.
* debug/elf: Additional R_PPC64_* constants are defined for use
with PPC64 ELFv2 relocations.
* debug/elf: The constant value for R_PPC64_SECTOFF_LO_DS is
corrected, from 61 to 62.
* debug/gosym: Due to a change of Go's symbol naming conventions,
tools that process Go binaries should use Go 1.20's debug/gosym
package to transparently handle both old and new binaries.
* debug/pe: Additional IMAGE_FILE_MACHINE_RISCV* constants are
defined for use with RISC-V systems.
* encoding/binary: The ReadVarint and ReadUvarint functions will
now return io.ErrUnexpectedEOF after reading a partial value,
rather than io.EOF.
* encoding/xml: The new Encoder.Close method can be used to check
for unclosed elements when finished encoding.
* encoding/xml: The decoder now rejects element and attribute
names with more than one colon, such as <a:b:c>, as well as
namespaces that resolve to an empty string, such as xmlns:a=''.
* encoding/xml: The decoder now rejects elements that use
different namespace prefixes in the opening and closing tag,
even if those prefixes both denote the same namespace.
* errors: The new Join function returns an error wrapping a list
of errors.
* fmt: The Errorf function supports multiple occurrences of the
%w format verb, returning an error that unwraps to the list of
all arguments to %w.
* fmt: The new FormatString function recovers the formatting
directive corresponding to a State, which can be useful in
Formatter. implementations.
* go/ast: The new RangeStmt.Range field records the position of
the range keyword in a range statement.
* go/ast: The new File.FileStart and File.FileEnd fields record
the position of the start and end of the entire source file.
* go/token: The new FileSet.RemoveFile method removes a file from
a FileSet. Long-running programs can use this to release memory
associated with files they no longer need.
* go/types: The new Satisfies function reports whether a type
satisfies a constraint. This change aligns with the new
language semantics that distinguish satisfying a constraint
from implementing an interface.
* io: The new OffsetWriter wraps an underlying WriterAt and
provides Seek, Write, and WriteAt methods that adjust their
effective file offset position by a fixed amount.
* io/fs: The new error SkipAll terminates a WalkDir immediately
but successfully.
* math/big: The math/big package's wide scope and input-dependent
timing make it ill-suited for implementing cryptography. The
cryptography packages in the standard library no longer call
non-trivial Int methods on attacker-controlled inputs. In the
future, the determination of whether a bug in math/big is
considered a security vulnerability will depend on its wider
impact on the standard library.
* math/rand: The math/rand package now automatically seeds the
global random number generator (used by top-level functions
like Float64 and Int) with a random value, and the top-level
Seed function has been deprecated. Programs that need a
reproducible sequence of random numbers should prefer to
allocate their own random source, using
rand.New(rand.NewSource(seed)).
* math/rand: Programs that need the earlier consistent global
seeding behavior can set GODEBUG=randautoseed=0 in their
environment.
* math/rand: The top-level Read function has been deprecated. In
almost all cases, crypto/rand.Read is more appropriate.
* mime: The ParseMediaType function now allows duplicate
parameter names, so long as the values of the names are the
same.
* mime/multipart: Methods of the Reader type now wrap errors
returned by the underlying io.Reader.
* net: The LookupCNAME function now consistently returns the
contents of a CNAME record when one exists. Previously on Unix
systems and when using the pure Go resolver, LookupCNAME would
return an error if a CNAME record referred to a name that with
no A, AAAA, or CNAME record. This change modifies LookupCNAME
to match the previous behavior on Windows, allowing LookupCNAME
to succeed whenever a CNAME exists.
* net: Interface.Flags now includes the new flag FlagRunning,
indicating an operationally active interface. An interface
which is administratively configured but not active (for
example, because the network cable is not connected) will have
FlagUp set but not FlagRunning.
* net: The new Dialer.ControlContext field contains a callback
function similar to the existing Dialer.Control hook, that
additionally accepts the dial context as a parameter. Control
is ignored when ControlContext is not nil.
* net: The Go DNS resolver recognizes the trust-ad resolver
option. When options trust-ad is set in resolv.conf, the Go
resolver will set the AD bit in DNS queries. The resolver does
not make use of the AD bit in responses.
* net: DNS resolution will detect changes to /etc/nsswitch.conf
and reload the file when it changes. Checks are made at most
once every five seconds, matching the previous handling of
/etc/hosts and /etc/resolv.conf.
* net/http: The ResponseWriter.WriteHeader function now supports
sending 1xx status codes.
* net/http: The new Server.DisableGeneralOptionsHandler
configuration setting allows disabling the default OPTIONS *
handler.
* net/http: The new Transport.OnProxyConnectResponse hook is
called when a Transport receives an HTTP response from a proxy
for a CONNECT request.
* net/http: The HTTP server now accepts HEAD requests containing
a body, rather than rejecting them as invalid.
* net/http: HTTP/2 stream errors returned by net/http functions
may be converted to a golang.org/x/net/http2.StreamError using
errors.As.
* net/http: Leading and trailing spaces are trimmed from cookie
names, rather than being rejected as invalid. For example, a
cookie setting of 'name =value' is now accepted as setting the
cookie 'name'.
* net/netip: The new IPv6LinkLocalAllRouters and IPv6Loopback
functions are the net/netip equivalents of net.IPv6loopback and
net.IPv6linklocalallrouters.
* os: On Windows, the name NUL is no longer treated as a special
case in Mkdir and Stat.
* os: On Windows, File.Stat now uses the file handle to retrieve
attributes when the file is a directory. Previously it would
use the path passed to Open, which may no longer be the file
represented by the file handle if the file has been moved or
replaced. This change modifies Open to open directories without
the FILE_SHARE_DELETE access, which match the behavior of
regular files.
* os: On Windows, File.Seek now supports seeking to the beginning
of a directory.
* os/exec: The new Cmd fields Cancel and WaitDelay specify the
behavior of the Cmd when its associated Context is canceled or
its process exits with I/O pipes still held open by a child
process.
* path/filepath: The new error SkipAll terminates a Walk
immediately but successfully.
* path/filepath: The new IsLocal function reports whether a path
is lexically local to a directory. For example, if IsLocal(p)
is true, then Open(p) will refer to a file that is lexically
within the subtree rooted at the current directory.
* reflect: The new Value.Comparable and Value.Equal methods can
be used to compare two Values for equality. Comparable reports
whether Equal is a valid operation for a given Value receiver.
* reflect: The new Value.Grow method extends a slice to guarantee
space for another n elements.
* reflect: The new Value.SetZero method sets a value to be the
zero value for its type.
* reflect: Go 1.18 introduced Value.SetIterKey and
Value.SetIterValue methods. These are optimizations:
v.SetIterKey(it) is meant to be equivalent to
v.Set(it.Key()). The implementations incorrectly omitted a
check for use of unexported fields that was present in the
unoptimized forms. Go 1.20 corrects these methods to include
the unexported field check.
* regexp: Go 1.19.2 and Go 1.18.7 included a security fix to the
regular expression parser, making it reject very large
expressions that would consume too much memory. Because Go
patch releases do not introduce new API, the parser returned
syntax.ErrInternalError in this case. Go 1.20 adds a more
specific error, syntax.ErrLarge, which the parser now returns
instead.
* runtime/cgo: Go 1.20 adds new Incomplete marker type. Code
generated by cgo will use cgo.Incomplete to mark an incomplete
C type.
* runtime/metrics: Go 1.20 adds new supported metrics, including
the current GOMAXPROCS setting (/sched/gomaxprocs:threads), the
number of cgo calls executed (/cgo/go-to-c-calls:calls), total
mutex block time (/sync/mutex/wait/total:seconds), and various
measures of time spent in garbage collection.
* runtime/metrics: Time-based histogram metrics are now less
precise, but take up much less memory.
* runtime/pprof: Mutex profile samples are now pre-scaled, fixing
an issue where old mutex profile samples would be scaled
incorrectly if the sampling rate changed during execution.
* runtime/pprof: Profiles collected on Windows now include memory
mapping information that fixes symbolization issues for
position-independent binaries.
* runtime/trace: The garbage collector's background sweeper now
yields less frequently, resulting in many fewer extraneous
events in execution traces.
* strings: The new CutPrefix and CutSuffix functions are like
TrimPrefix and TrimSuffix but also report whether the string
was trimmed.
* sync: The new Map methods Swap, CompareAndSwap, and
CompareAndDelete allow existing map entries to be updated
atomically.
* syscall: On FreeBSD, compatibility shims needed for FreeBSD 11
and earlier have been removed.
* syscall: On Linux, additional CLONE_* constants are defined for
use with the SysProcAttr.Cloneflags field.
* syscall: On Linux, the new SysProcAttr.CgroupFD and
SysProcAttr.UseCgroupFD fields provide a way to place a child
process into a specific cgroup.
* testing: The new method B.Elapsed reports the current elapsed
time of the benchmark, which may be useful for calculating
rates to report with ReportMetric.
* time: The new time layout constants DateTime, DateOnly, and
TimeOnly provide names for three of the most common layout
strings used in a survey of public Go source code.
* time: The new Time.Compare method compares two times.
* time: Parse now ignores sub-nanosecond precision in its input,
instead of reporting those digits as an error.
* time: The Time.MarshalJSON method is now more strict about
adherence to RFC 3339.
* unicode/utf16: The new AppendRune function appends the UTF-16
encoding of a given rune to a uint16 slice, analogous to
utf8.AppendRune.
Patchnames
SUSE-2023-735,SUSE-SLE-Module-Development-Tools-15-SP4-2023-735,openSUSE-SLE-15.4-2023-735
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for go1.20", title: "Title of the patch", }, { category: "description", text: "This update for go1.20 fixes the following issues:\n\n- Improvements to go1.x packaging spec:\n\n * On Tumbleweed bootstrap with current default gcc13 and gccgo118\n * On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap\n using go1.x package (%bcond_without gccgo). This is no longer\n needed on current SLE-12:Update and removing will consolidate\n the build configurations used.\n * Change source URLs to go.dev as per Go upstream\n * On x86_64 export GOAMD64=v1 as per the current baseline.\n At this time forgo GOAMD64=v3 option for x86_64_v3 support.\n * On x86_64 %define go_amd64=v1 as current instruction baseline\n * In %check on x86_64 use value %go_amd64=v1 as GOAMD64=v1 to\n grep correct TSAN version is checked out from LLVM with new\n spelling for internal/amd64v1/race_linux.syso\n\ngo1.20.2 (released 2023-03-07) includes a security fix to the\ncrypto/elliptic package, as well as bug fixes to the compiler,\nthe covdata command, the linker, the runtime, and the\ncrypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. (boo#1206346)\n\n* CVE-2023-24532: crypto/elliptic: Fixed that specific unreduced P-256 scalars produce incorrect results (boo#1209030)\n\n* cmd/covdata: short read on string table when merging coverage counters\n* runtime: some linkname signatures do not match\n* cmd/compile: inline static init cause compile time error\n* cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry\n* crypto/ecdh: ECDH method doesn't check curve\n* cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'\n* crypto/internal/bigmod: flag amd64 assembly as noescape\n* runtime: endless traceback when panic in generics funtion\n* runtime: long latency of sweep assists\n* syscall.Faccessat and os.LookPath regression in Go 1.20\n* os: cmd/go gets error 'copy_file_range: function not implemented'\n* net: TestTCPSelfConnect failures due to unexpected connections\n* syscall: Environ uses an invalid unsafe.Pointer conversion on Windows\n* cmd/compile: ICE on method value involving imported anonymous interface\n* crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey\n* crypto/x509: TestSystemVerify consistently failing\n\ngo1.20.1 (released 2023-02-14) includes security fixes to the\ncrypto/tls, mime/multipart, net/http, and path/filepath packages,\nas well as bug fixes to the compiler, the go command, the linker,\nthe runtime, and the time package. (bsc#1206346)\n\n- CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725\n\n * bsc#1208269 security: fix CVE-2022-41722 path/filepath: path traversal in filepath.Clean on Windows\n * bsc#1208270 security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding\n * bsc#1208271 security: fix CVE-2022-41724 crypto/tls: large handshake records may cause panics\n * bsc#1208272 security: fix CVE-2022-41725 net/http, mime/multipart: denial of service from excessive resource consumption\n * time: update zoneinfo_abbrs on Windows\n * cmd/link: .go.buildinfo is gc'ed by --gc-sections\n * cmd/compile/internal/pgo: Detect sample value position instead of hard-coding\n * cmd/compile: constant overflows when assigned to package level var (Go 1.20 regression)\n * cmd/compile: internal compiler error: panic: interface conversion: ir.Node is *ir.CompLitExpr, not *ir.Name\n * cmd/compile: internal compiler error: Type.Elem UNION\n * runtime: GOOS=ios fails Apple's app validation due to use of private API\n * cmd/go/internal/test: stale flagdefs.go not detected by tests\n * all: test failures with ETXTBSY\n * cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing\n\n- go1.20 (released 2023-02-01) is a major release of Go.\n go1.20.x minor releases will be provided through February 2024.\n https://github.com/golang/go/wiki/Go-Release-Cycle\n go1.20 arrives six months after go1.19. Most of its changes are\n in the implementation of the toolchain, runtime, and libraries.\n As always, the release maintains the Go 1 promise of\n compatibility. We expect almost all Go programs to continue to\n compile and run as before. ( bsc#1206346 jsc#PED-1962 )\n\n* Go 1.20 includes four changes to the language\n\n * Language change: Go 1.17 added conversions from slice to an\n array pointer. Go 1.20 extends this to allow conversions from a\n slice to an array\n * Language change: The unsafe package defines three new functions\n SliceData, String, and StringData. Along with Go 1.17's Slice,\n these functions now provide the complete ability to construct\n and deconstruct slice and string values, without depending on\n their exact representation.\n * Language change: The specification now defines that struct\n values are compared one field at a time, considering fields in\n the order they appear in the struct type definition, and\n stopping at the first mismatch. The specification could\n previously have been read as if all fields needed to be\n compared beyond the first mismatch. Similarly, the\n specification now defines that array values are compared one\n element at a time, in increasing index order. In both cases,\n the difference affects whether certain comparisons must\n panic. Existing programs are unchanged: the new spec wording\n describes what the implementations have always done.\n * Language change: Comparable types (such as ordinary interfaces)\n may now satisfy comparable constraints, even if the type\n arguments are not strictly comparable (comparison may panic at\n runtime). This makes it possible to instantiate a type\n parameter constrained by comparable (e.g., a type parameter for\n a user-defined generic map key) with a non-strictly comparable\n type argument such as an interface type, or a composite type\n containing an interface type.\n * go command: The directory $GOROOT/pkg no longer stores\n pre-compiled package archives for the standard library: go\n install no longer writes them, the go build no longer checks\n for them, and the Go distribution no longer ships\n them. Instead, packages in the standard library are built as\n needed and cached in the build cache, just like packages\n outside GOROOT. This change reduces the size of the Go\n distribution and also avoids C toolchain skew for packages that\n use cgo. Refs jsc#PED-1962\n * go command: The implementation of go test -json has been\n improved to make it more robust. Programs that run go test\n -json do not need any updates. Programs that invoke go tool\n test2json directly should now run the test binary with\n -v=test2json (for example, go test -v=test2json or ./pkg.test\n -test.v=test2json) instead of plain -v.\n * go command: A related change to go test -json is the addition\n of an event with Action set to start at the beginning of each\n test program's execution. When running multiple tests using the\n go command, these start events are guaranteed to be emitted in\n the same order as the packages named on the command line.\n * go command: The go command now defines architecture feature\n build tags, such as amd64.v2, to allow selecting a package\n implementation file based on the presence or absence of a\n particular architecture feature. See go help buildconstraint\n for details.\n * go command: The go subcommands now accept -C <dir> to change\n directory to <dir> before performing the command, which may be\n useful for scripts that need to execute commands in multiple\n different modules.\n * go command: The go build and go test commands no longer accept\n the -i flag, which has been deprecated since Go 1.16.\n * go command: The go generate command now accepts -skip <pattern>\n to skip //go:generate directives matching <pattern>.\n * go command: The go test command now accepts -skip <pattern> to\n skip tests, subtests, or examples matching <pattern>.\n * go command: When the main module is located within GOPATH/src,\n go install no longer installs libraries for non-main packages\n to GOPATH/pkg, and go list no longer reports a Target field for\n such packages. (In module mode, compiled packages are stored in\n the build cache only, but a bug had caused the GOPATH install\n targets to unexpectedly remain in effect.)\n * go command: The go build, go install, and other build-related\n commands now support a -pgo flag that enables profile-guided\n optimization, which is described in more detail in the Compiler\n section below. The -pgo flag specifies the file path of the\n profile. Specifying -pgo=auto causes the go command to search\n for a file named default.pgo in the main package's directory\n and use it if present. This mode currently requires a single\n main package to be specified on the command line, but we plan\n to lift this restriction in a future release. Specifying\n -pgo=off turns off profile-guided optimization.\n * go command: The go build, go install, and other build-related\n commands now support a -cover flag that builds the specified\n target with code coverage instrumentation. This is described in\n more detail in the Cover section below.\n * go version: The go version -m command now supports reading more\n types of Go binaries, most notably, Windows DLLs built with go\n build -buildmode=c-shared and Linux binaries without execute\n permission.\n * Cgo: The go command now disables cgo by default on systems\n without a C toolchain. More specifically, when the CGO_ENABLED\n environment variable is unset, the CC environment variable is\n unset, and the default C compiler (typically clang or gcc) is\n not found in the path, CGO_ENABLED defaults to 0. As always,\n you can override the default by setting CGO_ENABLED explicitly.\n The most important effect of the default change is that when Go\n is installed on a system without a C compiler, it will now use\n pure Go builds for packages in the standard library that use\n cgo, instead of using pre-distributed package archives (which\n have been removed, as noted above) or attempting to use cgo and\n failing. This makes Go work better in some minimal container\n environments as well as on macOS, where pre-distributed package\n archives have not been used for cgo-based packages since Go\n 1.16.\n The packages in the standard library that use cgo are net,\n os/user, and plugin. On macOS, the net and os/user packages\n have been rewritten not to use cgo: the same code is now used\n for cgo and non-cgo builds as well as cross-compiled builds. On\n Windows, the net and os/user packages have never used cgo. On\n other systems, builds with cgo disabled will use a pure Go\n version of these packages.\n On macOS, the race detector has been rewritten not to use cgo:\n race-detector-enabled programs can be built and run without\n Xcode. On Linux and other Unix systems, and on Windows, a host\n C toolchain is required to use the race detector.\n * go cover: Go 1.20 supports collecting code coverage profiles\n for programs (applications and integration tests), as opposed\n to just unit tests. To collect coverage data for a program,\n build it with go build's -cover flag, then run the resulting\n binary with the environment variable GOCOVERDIR set to an\n output directory for coverage profiles. See the 'coverage for\n integration tests' landing page for more on how to get\n started. For details on the design and implementation, see the\n proposal.\n * go vet: Improved detection of loop variable capture by nested\n functions. The vet tool now reports references to loop\n variables following a call to T.Parallel() within subtest\n function bodies. Such references may observe the value of the\n variable from a different iteration (typically causing test\n cases to be skipped) or an invalid state due to unsynchronized\n concurrent access.\n * go vet: The tool also detects reference mistakes in more\n places. Previously it would only consider the last statement\n of the loop body, but now it recursively inspects the last\n statements within if, switch, and select statements.\n * go vet: New diagnostic for incorrect time formats. The vet tool\n now reports use of the time format 2006-02-01 (yyyy-dd-mm) with\n Time.Format and time.Parse. This format does not appear in\n common date standards, but is frequently used by mistake when\n attempting to use the ISO 8601 date format (yyyy-mm-dd).\n * Runtime: Some of the garbage collector's internal data\n structures were reorganized to be both more space and CPU\n efficient. This change reduces memory overheads and improves\n overall CPU performance by up to 2%.\n * Runtime: The garbage collector behaves less erratically with\n respect to goroutine assists in some circumstances.\n * Runtime: Go 1.20 adds a new runtime/coverage package containing\n APIs for writing coverage profile data at runtime from\n long-running and/or server programs that do not terminate via\n os.Exit().\n * Compiler: Go 1.20 adds preview support for profile-guided\n optimization (PGO). PGO enables the toolchain to perform\n application- and workload-specific optimizations based on\n run-time profile information. Currently, the compiler supports\n pprof CPU profiles, which can be collected through usual means,\n such as the runtime/pprof or net/http/pprof packages. To enable\n PGO, pass the path of a pprof profile file via the -pgo flag to\n go build, as mentioned above. Go 1.20 uses PGO to more\n aggressively inline functions at hot call sites. Benchmarks for\n a representative set of Go programs show enabling\n profile-guided inlining optimization improves performance about\n 3–4%. See the PGO user guide for detailed documentation. We\n plan to add more profile-guided optimizations in future\n releases. Note that profile-guided optimization is a preview,\n so please use it with appropriate caution.\n * Compiler: The Go 1.20 compiler upgraded its front-end to use a\n new way of handling the compiler's internal data, which fixes\n several generic-types issues and enables type declarations\n within generic functions and methods.\n * Compiler: The compiler now rejects anonymous interface cycles\n with a compiler error by default. These arise from tricky uses\n of embedded interfaces and have always had subtle correctness\n issues, yet we have no evidence that they're actually used in\n practice. Assuming no reports from users adversely affected by\n this change, we plan to update the language specification for\n Go 1.22 to formally disallow them so tools authors can stop\n supporting them too.\n * Compiler: Go 1.18 and 1.19 saw regressions in build speed,\n largely due to the addition of support for generics and\n follow-on work. Go 1.20 improves build speeds by up to 10%,\n bringing it back in line with Go 1.17. Relative to Go 1.19,\n generated code performance is also generally slightly improved.\n * Linker: On Linux, the linker now selects the dynamic\n interpreter for glibc or musl at link time.\n * Linker: On Windows, the Go linker now supports modern\n LLVM-based C toolchains.\n * Linker: Go 1.20 uses go: and type: prefixes for\n compiler-generated symbols rather than go. and type.. This\n avoids confusion for user packages whose name starts with\n go.. The debug/gosym package understands this new naming\n convention for binaries built with Go 1.20 and newer.\n * Bootstrap: When building a Go release from source and\n GOROOT_BOOTSTRAP is not set, previous versions of Go looked for\n a Go 1.4 or later bootstrap toolchain in the directory\n $HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\\go1.4 on Windows). Go 1.18\n and Go 1.19 looked first for $HOME/go1.17 or $HOME/sdk/go1.17\n before falling back to $HOME/go1.4, in anticipation of\n requiring Go 1.17 for use when bootstrapping Go 1.20. Go 1.20\n does require a Go 1.17 release for bootstrapping, but we\n realized that we should adopt the latest point release of the\n bootstrap toolchain, so it requires Go 1.17.13. Go 1.20 looks\n for $HOME/go1.17.13 or $HOME/sdk/go1.17.13 before falling back\n to $HOME/go1.4 (to support systems that hard-coded the path\n $HOME/go1.4 but have installed a newer Go toolchain there). In\n the future, we plan to move the bootstrap toolchain forward\n approximately once a year, and in particular we expect that Go\n 1.22 will require the final point release of Go 1.20 for\n bootstrap.\n * Library: Go 1.20 adds a new crypto/ecdh package to provide\n explicit support for Elliptic Curve Diffie-Hellman key\n exchanges over NIST curves and Curve25519. Programs should use\n crypto/ecdh instead of the lower-level functionality in\n crypto/elliptic for ECDH, and third-party modules for more\n advanced use cases.\n * Error handling: Go 1.20 expands support for error wrapping to\n permit an error to wrap multiple other errors.\n * Error handling: An error e can wrap more than one error by\n providing an Unwrap method that returns a []error.\n * Error handling: The errors.Is and errors.As functions have been\n updated to inspect multiply wrapped errors.\n * Error handling: The fmt.Errorf function now supports multiple\n occurrences of the %w format verb, which will cause it to\n return an error that wraps all of those error operands.\n * Error handling: The new function errors.Join returns an error\n wrapping a list of errors.\n * HTTP ResponseController: The new 'net/http'.ResponseController\n type provides access to extended per-request functionality not\n handled by the 'net/http'.ResponseWriter interface. The\n ResponseController type provides a clearer, more discoverable\n way to add per-handler controls. Two such controls also added\n in Go 1.20 are SetReadDeadline and SetWriteDeadline, which\n allow setting per-request read and write deadlines.\n * New ReverseProxy Rewrite hook: The httputil.ReverseProxy\n forwarding proxy includes a new Rewrite hook function,\n superseding the previous Director hook.\n * archive/tar: When the GODEBUG=tarinsecurepath=0 environment\n variable is set, Reader.Next method will now return the error\n ErrInsecurePath for an entry with a file name that is an\n absolute path, refers to a location outside the current\n directory, contains invalid characters, or (on Windows) is a\n reserved name such as NUL. A future version of Go may disable\n insecure paths by default.\n * archive/zip: When the GODEBUG=zipinsecurepath=0 environment\n variable is set, NewReader will now return the error\n ErrInsecurePath when opening an archive which contains any file\n name that is an absolute path, refers to a location outside the\n current directory, contains invalid characters, or (on Windows)\n is a reserved names such as NUL. A future version of Go may\n disable insecure paths by default.\n * archive/zip: Reading from a directory file that contains file\n data will now return an error. The zip specification does not\n permit directory files to contain file data, so this change\n only affects reading from invalid archives.\n * bytes: The new CutPrefix and CutSuffix functions are like\n TrimPrefix and TrimSuffix but also report whether the string\n was trimmed.\n * bytes: The new Clone function allocates a copy of a byte slice.\n * context: The new WithCancelCause function provides a way to\n cancel a context with a given error. That error can be\n retrieved by calling the new Cause function.\n * crypto/ecdsa: When using supported curves, all operations are\n now implemented in constant time. This led to an increase in\n CPU time between 5% and 30%, mostly affecting P-384 and P-521.\n * crypto/ecdsa: The new PrivateKey.ECDH method converts an\n ecdsa.PrivateKey to an ecdh.PrivateKey.\n * crypto/ed25519: The PrivateKey.Sign method and the\n VerifyWithOptions function now support signing pre-hashed\n messages with Ed25519ph, indicated by an Options.HashFunc that\n returns crypto.SHA512. They also now support Ed25519ctx and\n Ed25519ph with context, indicated by setting the new\n Options.Context field.\n * crypto/rsa: The new field OAEPOptions.MGFHash allows\n configuring the MGF1 hash separately for OAEP decryption.\n * crypto/rsa: crypto/rsa now uses a new, safer, constant-time\n backend. This causes a CPU runtime increase for decryption\n operations between approximately 15% (RSA-2048 on amd64) and\n 45% (RSA-4096 on arm64), and more on 32-bit\n architectures. Encryption operations are approximately 20x\n slower than before (but still 5-10x faster than\n decryption). Performance is expected to improve in future\n releases. Programs must not modify or manually generate the\n fields of PrecomputedValues.\n * crypto/subtle: The new function XORBytes XORs two byte slices\n together.\n * crypto/tls: Parsed certificates are now shared across all\n clients actively using that certificate. The memory savings can\n be significant in programs that make many concurrent\n connections to a server or collection of servers sharing any\n part of their certificate chains.\n * crypto/tls: For a handshake failure due to a certificate\n verification failure, the TLS client and server now return an\n error of the new type CertificateVerificationError, which\n includes the presented certificates.\n * crypto/x509: ParsePKCS8PrivateKey and MarshalPKCS8PrivateKey\n now support keys of type *crypto/ecdh.PrivateKey.\n ParsePKIXPublicKey and MarshalPKIXPublicKey now support keys of\n type *crypto/ecdh.PublicKey. Parsing NIST curve keys still\n returns values of type *ecdsa.PublicKey and *ecdsa.PrivateKey.\n Use their new ECDH methods to convert to the crypto/ecdh types.\n * crypto/x509: The new SetFallbackRoots function allows a program\n to define a set of fallback root certificates in case an\n operating system verifier or standard platform root bundle is\n unavailable at runtime. It will most commonly be used with a\n new package, golang.org/x/crypto/x509roots/fallback, which will\n provide an up to date root bundle.\n * debug/elf: Attempts to read from a SHT_NOBITS section using\n Section.Data or the reader returned by Section.Open now return\n an error.\n * debug/elf: Additional R_LARCH_* constants are defined for use\n with LoongArch systems.\n * debug/elf: Additional R_PPC64_* constants are defined for use\n with PPC64 ELFv2 relocations.\n * debug/elf: The constant value for R_PPC64_SECTOFF_LO_DS is\n corrected, from 61 to 62.\n * debug/gosym: Due to a change of Go's symbol naming conventions,\n tools that process Go binaries should use Go 1.20's debug/gosym\n package to transparently handle both old and new binaries.\n * debug/pe: Additional IMAGE_FILE_MACHINE_RISCV* constants are\n defined for use with RISC-V systems.\n * encoding/binary: The ReadVarint and ReadUvarint functions will\n now return io.ErrUnexpectedEOF after reading a partial value,\n rather than io.EOF.\n * encoding/xml: The new Encoder.Close method can be used to check\n for unclosed elements when finished encoding.\n * encoding/xml: The decoder now rejects element and attribute\n names with more than one colon, such as <a:b:c>, as well as\n namespaces that resolve to an empty string, such as xmlns:a=''.\n * encoding/xml: The decoder now rejects elements that use\n different namespace prefixes in the opening and closing tag,\n even if those prefixes both denote the same namespace.\n * errors: The new Join function returns an error wrapping a list\n of errors.\n * fmt: The Errorf function supports multiple occurrences of the\n %w format verb, returning an error that unwraps to the list of\n all arguments to %w.\n * fmt: The new FormatString function recovers the formatting\n directive corresponding to a State, which can be useful in\n Formatter. implementations.\n * go/ast: The new RangeStmt.Range field records the position of\n the range keyword in a range statement.\n * go/ast: The new File.FileStart and File.FileEnd fields record\n the position of the start and end of the entire source file.\n * go/token: The new FileSet.RemoveFile method removes a file from\n a FileSet. Long-running programs can use this to release memory\n associated with files they no longer need.\n * go/types: The new Satisfies function reports whether a type\n satisfies a constraint. This change aligns with the new\n language semantics that distinguish satisfying a constraint\n from implementing an interface.\n * io: The new OffsetWriter wraps an underlying WriterAt and\n provides Seek, Write, and WriteAt methods that adjust their\n effective file offset position by a fixed amount.\n * io/fs: The new error SkipAll terminates a WalkDir immediately\n but successfully.\n * math/big: The math/big package's wide scope and input-dependent\n timing make it ill-suited for implementing cryptography. The\n cryptography packages in the standard library no longer call\n non-trivial Int methods on attacker-controlled inputs. In the\n future, the determination of whether a bug in math/big is\n considered a security vulnerability will depend on its wider\n impact on the standard library.\n * math/rand: The math/rand package now automatically seeds the\n global random number generator (used by top-level functions\n like Float64 and Int) with a random value, and the top-level\n Seed function has been deprecated. Programs that need a\n reproducible sequence of random numbers should prefer to\n allocate their own random source, using\n rand.New(rand.NewSource(seed)).\n * math/rand: Programs that need the earlier consistent global\n seeding behavior can set GODEBUG=randautoseed=0 in their\n environment.\n * math/rand: The top-level Read function has been deprecated. In\n almost all cases, crypto/rand.Read is more appropriate.\n * mime: The ParseMediaType function now allows duplicate\n parameter names, so long as the values of the names are the\n same.\n * mime/multipart: Methods of the Reader type now wrap errors\n returned by the underlying io.Reader.\n * net: The LookupCNAME function now consistently returns the\n contents of a CNAME record when one exists. Previously on Unix\n systems and when using the pure Go resolver, LookupCNAME would\n return an error if a CNAME record referred to a name that with\n no A, AAAA, or CNAME record. This change modifies LookupCNAME\n to match the previous behavior on Windows, allowing LookupCNAME\n to succeed whenever a CNAME exists.\n * net: Interface.Flags now includes the new flag FlagRunning,\n indicating an operationally active interface. An interface\n which is administratively configured but not active (for\n example, because the network cable is not connected) will have\n FlagUp set but not FlagRunning.\n * net: The new Dialer.ControlContext field contains a callback\n function similar to the existing Dialer.Control hook, that\n additionally accepts the dial context as a parameter. Control\n is ignored when ControlContext is not nil.\n * net: The Go DNS resolver recognizes the trust-ad resolver\n option. When options trust-ad is set in resolv.conf, the Go\n resolver will set the AD bit in DNS queries. The resolver does\n not make use of the AD bit in responses.\n * net: DNS resolution will detect changes to /etc/nsswitch.conf\n and reload the file when it changes. Checks are made at most\n once every five seconds, matching the previous handling of\n /etc/hosts and /etc/resolv.conf.\n * net/http: The ResponseWriter.WriteHeader function now supports\n sending 1xx status codes.\n * net/http: The new Server.DisableGeneralOptionsHandler\n configuration setting allows disabling the default OPTIONS *\n handler.\n * net/http: The new Transport.OnProxyConnectResponse hook is\n called when a Transport receives an HTTP response from a proxy\n for a CONNECT request.\n * net/http: The HTTP server now accepts HEAD requests containing\n a body, rather than rejecting them as invalid.\n * net/http: HTTP/2 stream errors returned by net/http functions\n may be converted to a golang.org/x/net/http2.StreamError using\n errors.As.\n * net/http: Leading and trailing spaces are trimmed from cookie\n names, rather than being rejected as invalid. For example, a\n cookie setting of 'name =value' is now accepted as setting the\n cookie 'name'.\n * net/netip: The new IPv6LinkLocalAllRouters and IPv6Loopback\n functions are the net/netip equivalents of net.IPv6loopback and\n net.IPv6linklocalallrouters.\n * os: On Windows, the name NUL is no longer treated as a special\n case in Mkdir and Stat.\n * os: On Windows, File.Stat now uses the file handle to retrieve\n attributes when the file is a directory. Previously it would\n use the path passed to Open, which may no longer be the file\n represented by the file handle if the file has been moved or\n replaced. This change modifies Open to open directories without\n the FILE_SHARE_DELETE access, which match the behavior of\n regular files.\n * os: On Windows, File.Seek now supports seeking to the beginning\n of a directory.\n * os/exec: The new Cmd fields Cancel and WaitDelay specify the\n behavior of the Cmd when its associated Context is canceled or\n its process exits with I/O pipes still held open by a child\n process.\n * path/filepath: The new error SkipAll terminates a Walk\n immediately but successfully.\n * path/filepath: The new IsLocal function reports whether a path\n is lexically local to a directory. For example, if IsLocal(p)\n is true, then Open(p) will refer to a file that is lexically\n within the subtree rooted at the current directory.\n * reflect: The new Value.Comparable and Value.Equal methods can\n be used to compare two Values for equality. Comparable reports\n whether Equal is a valid operation for a given Value receiver.\n * reflect: The new Value.Grow method extends a slice to guarantee\n space for another n elements.\n * reflect: The new Value.SetZero method sets a value to be the\n zero value for its type.\n * reflect: Go 1.18 introduced Value.SetIterKey and\n Value.SetIterValue methods. These are optimizations:\n v.SetIterKey(it) is meant to be equivalent to\n v.Set(it.Key()). The implementations incorrectly omitted a\n check for use of unexported fields that was present in the\n unoptimized forms. Go 1.20 corrects these methods to include\n the unexported field check.\n * regexp: Go 1.19.2 and Go 1.18.7 included a security fix to the\n regular expression parser, making it reject very large\n expressions that would consume too much memory. Because Go\n patch releases do not introduce new API, the parser returned\n syntax.ErrInternalError in this case. Go 1.20 adds a more\n specific error, syntax.ErrLarge, which the parser now returns\n instead.\n * runtime/cgo: Go 1.20 adds new Incomplete marker type. Code\n generated by cgo will use cgo.Incomplete to mark an incomplete\n C type.\n * runtime/metrics: Go 1.20 adds new supported metrics, including\n the current GOMAXPROCS setting (/sched/gomaxprocs:threads), the\n number of cgo calls executed (/cgo/go-to-c-calls:calls), total\n mutex block time (/sync/mutex/wait/total:seconds), and various\n measures of time spent in garbage collection.\n * runtime/metrics: Time-based histogram metrics are now less\n precise, but take up much less memory.\n * runtime/pprof: Mutex profile samples are now pre-scaled, fixing\n an issue where old mutex profile samples would be scaled\n incorrectly if the sampling rate changed during execution.\n * runtime/pprof: Profiles collected on Windows now include memory\n mapping information that fixes symbolization issues for\n position-independent binaries.\n * runtime/trace: The garbage collector's background sweeper now\n yields less frequently, resulting in many fewer extraneous\n events in execution traces.\n * strings: The new CutPrefix and CutSuffix functions are like\n TrimPrefix and TrimSuffix but also report whether the string\n was trimmed.\n * sync: The new Map methods Swap, CompareAndSwap, and\n CompareAndDelete allow existing map entries to be updated\n atomically.\n * syscall: On FreeBSD, compatibility shims needed for FreeBSD 11\n and earlier have been removed.\n * syscall: On Linux, additional CLONE_* constants are defined for\n use with the SysProcAttr.Cloneflags field.\n * syscall: On Linux, the new SysProcAttr.CgroupFD and\n SysProcAttr.UseCgroupFD fields provide a way to place a child\n process into a specific cgroup.\n * testing: The new method B.Elapsed reports the current elapsed\n time of the benchmark, which may be useful for calculating\n rates to report with ReportMetric.\n * time: The new time layout constants DateTime, DateOnly, and\n TimeOnly provide names for three of the most common layout\n strings used in a survey of public Go source code.\n * time: The new Time.Compare method compares two times.\n * time: Parse now ignores sub-nanosecond precision in its input,\n instead of reporting those digits as an error.\n * time: The Time.MarshalJSON method is now more strict about\n adherence to RFC 3339.\n * unicode/utf16: The new AppendRune function appends the UTF-16\n encoding of a given rune to a uint16 slice, analogous to\n utf8.AppendRune.\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2023-735,SUSE-SLE-Module-Development-Tools-15-SP4-2023-735,openSUSE-SLE-15.4-2023-735", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0735-1.json", }, { category: "self", summary: "URL for SUSE-SU-2023:0735-1", url: "https://www.suse.com/support/update/announcement/2023/suse-su-20230735-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2023:0735-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2023-March/014037.html", }, { category: "self", summary: "SUSE Bug 1206346", url: "https://bugzilla.suse.com/1206346", }, { category: "self", summary: "SUSE Bug 1208269", url: "https://bugzilla.suse.com/1208269", }, { category: "self", summary: "SUSE Bug 1208270", url: "https://bugzilla.suse.com/1208270", }, { category: "self", summary: "SUSE Bug 1208271", url: "https://bugzilla.suse.com/1208271", }, { category: "self", summary: "SUSE Bug 1208272", url: "https://bugzilla.suse.com/1208272", }, { category: "self", summary: "SUSE Bug 1209030", url: "https://bugzilla.suse.com/1209030", }, { category: "self", summary: "SUSE CVE CVE-2022-41722 page", url: "https://www.suse.com/security/cve/CVE-2022-41722/", }, { category: "self", summary: "SUSE CVE CVE-2022-41723 page", url: "https://www.suse.com/security/cve/CVE-2022-41723/", }, { category: "self", summary: "SUSE CVE CVE-2022-41724 page", url: "https://www.suse.com/security/cve/CVE-2022-41724/", }, { category: "self", summary: "SUSE CVE CVE-2022-41725 page", url: "https://www.suse.com/security/cve/CVE-2022-41725/", }, { category: "self", summary: "SUSE CVE CVE-2023-24532 page", url: "https://www.suse.com/security/cve/CVE-2023-24532/", }, ], title: "Security update for go1.20", tracking: { current_release_date: "2023-03-14T17:07:51Z", generator: { date: "2023-03-14T17:07:51Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2023:0735-1", initial_release_date: "2023-03-14T17:07:51Z", revision_history: [ { date: "2023-03-14T17:07:51Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "go1.20-1.20.2-150000.1.5.1.aarch64", product: { name: "go1.20-1.20.2-150000.1.5.1.aarch64", product_id: "go1.20-1.20.2-150000.1.5.1.aarch64", }, }, { category: "product_version", name: "go1.20-doc-1.20.2-150000.1.5.1.aarch64", product: { name: "go1.20-doc-1.20.2-150000.1.5.1.aarch64", product_id: "go1.20-doc-1.20.2-150000.1.5.1.aarch64", }, }, { category: "product_version", name: "go1.20-race-1.20.2-150000.1.5.1.aarch64", product: { name: "go1.20-race-1.20.2-150000.1.5.1.aarch64", product_id: "go1.20-race-1.20.2-150000.1.5.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "go1.20-1.20.2-150000.1.5.1.i586", product: { name: "go1.20-1.20.2-150000.1.5.1.i586", product_id: "go1.20-1.20.2-150000.1.5.1.i586", }, }, { category: "product_version", name: "go1.20-doc-1.20.2-150000.1.5.1.i586", product: { name: "go1.20-doc-1.20.2-150000.1.5.1.i586", product_id: "go1.20-doc-1.20.2-150000.1.5.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "go1.20-1.20.2-150000.1.5.1.ppc64le", product: { name: "go1.20-1.20.2-150000.1.5.1.ppc64le", product_id: "go1.20-1.20.2-150000.1.5.1.ppc64le", }, }, { category: "product_version", name: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le", product: { name: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le", product_id: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le", }, }, { category: "product_version", name: "go1.20-race-1.20.2-150000.1.5.1.ppc64le", product: { name: "go1.20-race-1.20.2-150000.1.5.1.ppc64le", product_id: "go1.20-race-1.20.2-150000.1.5.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "go1.20-1.20.2-150000.1.5.1.s390x", product: { name: "go1.20-1.20.2-150000.1.5.1.s390x", product_id: "go1.20-1.20.2-150000.1.5.1.s390x", }, }, { category: "product_version", name: "go1.20-doc-1.20.2-150000.1.5.1.s390x", product: { name: "go1.20-doc-1.20.2-150000.1.5.1.s390x", product_id: "go1.20-doc-1.20.2-150000.1.5.1.s390x", }, }, { category: "product_version", name: "go1.20-race-1.20.2-150000.1.5.1.s390x", product: { name: "go1.20-race-1.20.2-150000.1.5.1.s390x", product_id: "go1.20-race-1.20.2-150000.1.5.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "go1.20-1.20.2-150000.1.5.1.x86_64", product: { name: "go1.20-1.20.2-150000.1.5.1.x86_64", product_id: "go1.20-1.20.2-150000.1.5.1.x86_64", }, }, { category: "product_version", name: "go1.20-doc-1.20.2-150000.1.5.1.x86_64", product: { name: "go1.20-doc-1.20.2-150000.1.5.1.x86_64", product_id: "go1.20-doc-1.20.2-150000.1.5.1.x86_64", }, }, { category: "product_version", name: "go1.20-race-1.20.2-150000.1.5.1.x86_64", product: { name: "go1.20-race-1.20.2-150000.1.5.1.x86_64", product_id: "go1.20-race-1.20.2-150000.1.5.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Development Tools 15 SP4", product: { name: "SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-development-tools:15:sp4", }, }, }, { category: "product_name", name: "openSUSE Leap 15.4", product: { name: "openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.4", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", }, product_reference: "go1.20-1.20.2-150000.1.5.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", }, product_reference: "go1.20-1.20.2-150000.1.5.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", }, product_reference: "go1.20-1.20.2-150000.1.5.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-race-1.20.2-150000.1.5.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", }, product_reference: "go1.20-race-1.20.2-150000.1.5.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-race-1.20.2-150000.1.5.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP4", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-race-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.ppc64le as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", }, product_reference: "go1.20-1.20.2-150000.1.5.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.s390x as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", }, product_reference: "go1.20-1.20.2-150000.1.5.1.s390x", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-1.20.2-150000.1.5.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.aarch64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.s390x as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.s390x", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-doc-1.20.2-150000.1.5.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-doc-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-race-1.20.2-150000.1.5.1.aarch64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", }, product_reference: "go1.20-race-1.20.2-150000.1.5.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "go1.20-race-1.20.2-150000.1.5.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", }, product_reference: "go1.20-race-1.20.2-150000.1.5.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, ], }, vulnerabilities: [ { cve: "CVE-2022-41722", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-41722", }, ], notes: [ { category: "general", text: "A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-41722", url: "https://www.suse.com/security/cve/CVE-2022-41722", }, { category: "external", summary: "SUSE Bug 1208269 for CVE-2022-41722", url: "https://bugzilla.suse.com/1208269", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-03-14T17:07:51Z", details: "important", }, ], title: "CVE-2022-41722", }, { cve: "CVE-2022-41723", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-41723", }, ], notes: [ { category: "general", text: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-41723", url: "https://www.suse.com/security/cve/CVE-2022-41723", }, { category: "external", summary: "SUSE Bug 1208270 for CVE-2022-41723", url: "https://bugzilla.suse.com/1208270", }, { category: "external", summary: "SUSE Bug 1215588 for CVE-2022-41723", url: "https://bugzilla.suse.com/1215588", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-03-14T17:07:51Z", details: "important", }, ], title: "CVE-2022-41723", }, { cve: "CVE-2022-41724", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-41724", }, ], notes: [ { category: "general", text: "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-41724", url: "https://www.suse.com/security/cve/CVE-2022-41724", }, { category: "external", summary: "SUSE Bug 1208271 for CVE-2022-41724", url: "https://bugzilla.suse.com/1208271", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-03-14T17:07:51Z", details: "important", }, ], title: "CVE-2022-41724", }, { cve: "CVE-2022-41725", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-41725", }, ], notes: [ { category: "general", text: "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-41725", url: "https://www.suse.com/security/cve/CVE-2022-41725", }, { category: "external", summary: "SUSE Bug 1208272 for CVE-2022-41725", url: "https://bugzilla.suse.com/1208272", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-03-14T17:07:51Z", details: "moderate", }, ], title: "CVE-2022-41725", }, { cve: "CVE-2023-24532", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-24532", }, ], notes: [ { category: "general", text: "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-24532", url: "https://www.suse.com/security/cve/CVE-2023-24532", }, { category: "external", summary: "SUSE Bug 1209030 for CVE-2023-24532", url: "https://bugzilla.suse.com/1209030", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.4, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.ppc64le", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.s390x", "openSUSE Leap 15.4:go1.20-doc-1.20.2-150000.1.5.1.x86_64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.aarch64", "openSUSE Leap 15.4:go1.20-race-1.20.2-150000.1.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-03-14T17:07:51Z", details: "important", }, ], title: "CVE-2023-24532", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.