SLFO/patchinfo.20250124123319045695.269002615871826/_patchinfo

<patchinfo incident="5">
  <!-- generated from request(s) 349644 -->
  <issue tracker="bnc" id="1212475">go1.21 release tracking</issue>
  <issue tracker="bnc" id="1220999">VUL-0: CVE-2024-24783 go1.21,go1.22: crypto/x509: Verify panics on certificates with an unknown public key algorithm</issue>
  <issue tracker="bnc" id="1221000">VUL-0: CVE-2023-45289 go1.21,go1.22: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect</issue>
  <issue tracker="bnc" id="1221001">VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.ParseMultipartForm</issue>
  <issue tracker="bnc" id="1221002">VUL-0: CVE-2024-24784 go1.21,go1.22: net/mail: comments in display names are incorrectly handled</issue>
  <issue tracker="bnc" id="1221003">VUL-0: CVE-2024-24785 go1.21,go1.22: html/template: errors returned from MarshalJSON methods may break template escaping</issue>
  <issue tracker="bnc" id="1221400">VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers</issue>
  <issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>
  <issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>
  <issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>
  <issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>
  <issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>
  <issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>
  <issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>
  <issue tracker="cve" id="2023-45288"/>
  <issue tracker="cve" id="2023-45289"/>
  <issue tracker="cve" id="2023-45290"/>
  <issue tracker="cve" id="2024-24783"/>
  <issue tracker="cve" id="2024-24784"/>
  <issue tracker="cve" id="2024-24785"/>
  <issue tracker="cve" id="2024-24787"/>
  <issue tracker="cve" id="2024-24789"/>
  <issue tracker="cve" id="2024-24790"/>
  <issue tracker="cve" id="2024-24791"/>
  <issue tracker="cve" id="2024-34155"/>
  <issue tracker="cve" id="2024-34156"/>
  <issue tracker="cve" id="2024-34158"/>
  <issue tracker="jsc" id="SLE-18320"/>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.21-openssl</summary>
  <description>This update for go1.21-openssl fixes the following issues:

- Packaging improvements:
  Refs jsc#SLE-18320
  * Iterate over all patches in the upstream patch set.

- Update to version 1.21.13.4 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.13-4-openssl-fips.
  Refs jsc#SLE-18320
  * Update update initial openssl patch to reflect the previous
    update (1.21.13.2) to the openssl bindings

- Update to version 1.21.13.3 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.13-3-openssl-fips.
  Refs jsc#SLE-18320
  * Backport CVE fixes from Go 1.22.7 (#230)
    Upstream creates backports since go1.23-openssl not yet branched
  * go#69142 go#69138 bsc#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists
  * go#69144 go#69139 bsc#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth
  * go#69148 go#69141 bsc#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits

- Update to version 1.21.13.2 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.13-2-openssl-fips.
  Refs jsc#SLE-18320
  * Fast forward golang-fips/openssl to latest v1 (#225)

- Update to version 1.21.13.1 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.13-1-openssl-fips.
  Refs jsc#SLE-18320
  * Update to go1.21.13

- go1.21.13 (released 2024-08-06) includes fixes to the go command,
  the covdata command, and the bytes package.
  Refs bsc#1212475 go1.21 release tracking
  * go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
  * go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
  * go#68221 cmd/go: list with -export and -covermode=atomic fails to build

- go1.21.12 (released 2024-07-02) includes security fixes to the
  net/http package, as well as bug fixes to the compiler, the go
  command, the runtime, and the crypto/x509, net/http, net/netip,
  and os packages.
  Refs bsc#1212475 go1.21 release tracking
  CVE-2024-24791
  * go#68199 go#67555 bsc#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
  * go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
  * go#67426 cmd/link: need to handle new-style loong64 relocs
  * go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
  * go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
  * go#67933 net: go DNS resolver fails to connect to local DNS server
  * go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
  * go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go &gt;= 1.N+1 (running go 1.N)

Wed Jun  5 19:13:50 2024 - Jeff Kowalczyk &lt;jkowalczyk@suse.com&gt;
- Update to version 1.21.11.1 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.11-1-openssl-fips.
  Refs jsc#SLE-18320
  * Update to go1.21.11

- go1.21.11 (released 2024-06-04) includes security fixes to the
  archive/zip and net/netip packages, as well as bug fixes to the
  compiler, the go command, the runtime, and the os package.
  Refs bsc#1212475 go1.21 release tracking
  CVE-2024-24789 CVE-2024-24790
  * go#67553 go#66869 bsc#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
  * go#67681 go#67680 bsc#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
  * go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
  * go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
  * go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
  * go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
  * go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
  * go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
  * go#67695 os: RemoveAll susceptible to symlink race

Wed May 22 13:12:33 2024 - Jeff Kowalczyk &lt;jkowalczyk@suse.com&gt;
- Update to version 1.21.10.1 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.10-1-openssl-fips.
  Refs jsc#SLE-18320
  * Update to go1.21.10
  *  backport of fix linkage in RHEL builds to go1.21
  *  Skip broken PKCS overlong message test

- go1.21.10 (released 2024-05-07) includes security fixes to the go
  command, as well as bug fixes to the net/http package.
  Refs bsc#1212475 go1.21 release tracking
  CVE-2024-24787
  * go#67121 go#67119 bsc#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
  * go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0

- Update to version 1.21.9.1 cut from the go1.21-fips-release
  branch at the revision tagged go1.21.9-1-openssl-fips.
  Refs jsc#SLE-18320
  * Update to go1.21.9

- go1.21.9 (released 2024-04-03) includes a security fix to the
  net/http package, as well as bug fixes to the linker, and the
  go/types and net/http packages.
  Refs bsc#1212475 go1.21 release tracking
  CVE-2023-45288
  * go#65387 go#65051 bsc#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
  * go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
  * go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
  * go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le

</description>
  <package>go1.21-openssl</package>
  <seperate_build_arch/>
</patchinfo>
Update incident numbers 2025-01-27 09:46:48 +00:00			`<patchinfo incident="5">`
Adding patchinfo patchinfo.20250124123319045695.269002615871826 2025-01-27 10:45:49 +01:00			`<!-- generated from request(s) 349644 -->`
			`<issue tracker="bnc" id="1212475">go1.21 release tracking</issue>`
			`<issue tracker="bnc" id="1220999">VUL-0: CVE-2024-24783 go1.21,go1.22: crypto/x509: Verify panics on certificates with an unknown public key algorithm</issue>`
			`<issue tracker="bnc" id="1221000">VUL-0: CVE-2023-45289 go1.21,go1.22: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect</issue>`
			`<issue tracker="bnc" id="1221001">VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.ParseMultipartForm</issue>`
			`<issue tracker="bnc" id="1221002">VUL-0: CVE-2024-24784 go1.21,go1.22: net/mail: comments in display names are incorrectly handled</issue>`
			`<issue tracker="bnc" id="1221003">VUL-0: CVE-2024-24785 go1.21,go1.22: html/template: errors returned from MarshalJSON methods may break template escaping</issue>`
			`<issue tracker="bnc" id="1221400">VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers</issue>`
			`<issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>`
			`<issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>`
			`<issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>`
			`<issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>`
			`<issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>`
			`<issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>`
			`<issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>`
			`<issue tracker="cve" id="2023-45288"/>`
			`<issue tracker="cve" id="2023-45289"/>`
			`<issue tracker="cve" id="2023-45290"/>`
			`<issue tracker="cve" id="2024-24783"/>`
			`<issue tracker="cve" id="2024-24784"/>`
			`<issue tracker="cve" id="2024-24785"/>`
			`<issue tracker="cve" id="2024-24787"/>`
			`<issue tracker="cve" id="2024-24789"/>`
			`<issue tracker="cve" id="2024-24790"/>`
			`<issue tracker="cve" id="2024-24791"/>`
			`<issue tracker="cve" id="2024-34155"/>`
			`<issue tracker="cve" id="2024-34156"/>`
			`<issue tracker="cve" id="2024-34158"/>`
			`<issue tracker="jsc" id="SLE-18320"/>`
			`<packager>jfkw</packager>`
			`<rating>moderate</rating>`
			`<category>security</category>`
			`<summary>Security update for go1.21-openssl</summary>`
			`<description>This update for go1.21-openssl fixes the following issues:`

			`- Packaging improvements:`
			`Refs jsc#SLE-18320`
			`* Iterate over all patches in the upstream patch set.`

			`- Update to version 1.21.13.4 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.13-4-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Update update initial openssl patch to reflect the previous`
			`update (1.21.13.2) to the openssl bindings`

			`- Update to version 1.21.13.3 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.13-3-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Backport CVE fixes from Go 1.22.7 (#230)`
			`Upstream creates backports since go1.23-openssl not yet branched`
			`* go#69142 go#69138 bsc#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists`
			`* go#69144 go#69139 bsc#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth`
			`* go#69148 go#69141 bsc#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits`

			`- Update to version 1.21.13.2 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.13-2-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Fast forward golang-fips/openssl to latest v1 (#225)`

			`- Update to version 1.21.13.1 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.13-1-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Update to go1.21.13`

			`- go1.21.13 (released 2024-08-06) includes fixes to the go command,`
			`the covdata command, and the bytes package.`
			`Refs bsc#1212475 go1.21 release tracking`
			`* go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop`
			`* go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm`
			`* go#68221 cmd/go: list with -export and -covermode=atomic fails to build`

			`- go1.21.12 (released 2024-07-02) includes security fixes to the`
			`net/http package, as well as bug fixes to the compiler, the go`
			`command, the runtime, and the crypto/x509, net/http, net/netip,`
			`and os packages.`
			`Refs bsc#1212475 go1.21 release tracking`
			`CVE-2024-24791`
			`* go#68199 go#67555 bsc#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways`
			`* go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds`
			`* go#67426 cmd/link: need to handle new-style loong64 relocs`
			`* go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders`
			`* go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0`
			`* go#67933 net: go DNS resolver fails to connect to local DNS server`
			`* go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure`
			`* go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)`

			`Wed Jun 5 19:13:50 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>`
			`- Update to version 1.21.11.1 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.11-1-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Update to go1.21.11`

			`- go1.21.11 (released 2024-06-04) includes security fixes to the`
			`archive/zip and net/netip packages, as well as bug fixes to the`
			`compiler, the go command, the runtime, and the os package.`
			`Refs bsc#1212475 go1.21 release tracking`
			`CVE-2024-24789 CVE-2024-24790`
			`* go#67553 go#66869 bsc#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations`
			`* go#67681 go#67680 bsc#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses`
			`* go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag`
			`* go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64`
			`* go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes`
			`* go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'`
			`* go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally`
			`* go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections`
			`* go#67695 os: RemoveAll susceptible to symlink race`

			`Wed May 22 13:12:33 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>`
			`- Update to version 1.21.10.1 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.10-1-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Update to go1.21.10`
			`* backport of fix linkage in RHEL builds to go1.21`
			`* Skip broken PKCS overlong message test`

			`- go1.21.10 (released 2024-05-07) includes security fixes to the go`
			`command, as well as bug fixes to the net/http package.`
			`Refs bsc#1212475 go1.21 release tracking`
			`CVE-2024-24787`
			`* go#67121 go#67119 bsc#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin`
			`* go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0`

			`- Update to version 1.21.9.1 cut from the go1.21-fips-release`
			`branch at the revision tagged go1.21.9-1-openssl-fips.`
			`Refs jsc#SLE-18320`
			`* Update to go1.21.9`

			`- go1.21.9 (released 2024-04-03) includes a security fix to the`
			`net/http package, as well as bug fixes to the linker, and the`
			`go/types and net/http packages.`
			`Refs bsc#1212475 go1.21 release tracking`
			`CVE-2023-45288`
			`* go#65387 go#65051 bsc#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers`
			`* go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock`
			`* go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21`
			`* go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le`

			`</description>`
			`<package>go1.21-openssl</package>`
			`<seperate_build_arch/>`
Update incident numbers 2025-01-27 09:46:48 +00:00			`</patchinfo>`