go1.21 release tracking VUL-0: CVE-2024-24783 go1.21,go1.22: crypto/x509: Verify panics on certificates with an unknown public key algorithm VUL-0: CVE-2023-45289 go1.21,go1.22: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.ParseMultipartForm VUL-0: CVE-2024-24784 go1.21,go1.22: net/mail: comments in display names are incorrectly handled VUL-0: CVE-2024-24785 go1.21,go1.22: html/template: errors returned from MarshalJSON methods may break template escaping VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse jfkw moderate security

Security update for go1.21-openssl

This update for go1.21-openssl fixes the following issues: - Packaging improvements: Refs jsc#SLE-18320 * Iterate over all patches in the upstream patch set. - Update to version 1.21.13.4 cut from the go1.21-fips-release branch at the revision tagged go1.21.13-4-openssl-fips. Refs jsc#SLE-18320 * Update update initial openssl patch to reflect the previous update (1.21.13.2) to the openssl bindings - Update to version 1.21.13.3 cut from the go1.21-fips-release branch at the revision tagged go1.21.13-3-openssl-fips. Refs jsc#SLE-18320 * Backport CVE fixes from Go 1.22.7 (#230) Upstream creates backports since go1.23-openssl not yet branched * go#69142 go#69138 bsc#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists * go#69144 go#69139 bsc#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth * go#69148 go#69141 bsc#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits - Update to version 1.21.13.2 cut from the go1.21-fips-release branch at the revision tagged go1.21.13-2-openssl-fips. Refs jsc#SLE-18320 * Fast forward golang-fips/openssl to latest v1 (#225) - Update to version 1.21.13.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.13-1-openssl-fips. Refs jsc#SLE-18320 * Update to go1.21.13 - go1.21.13 (released 2024-08-06) includes fixes to the go command, the covdata command, and the bytes package. Refs bsc#1212475 go1.21 release tracking * go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop * go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm * go#68221 cmd/go: list with -export and -covermode=atomic fails to build - go1.21.12 (released 2024-07-02) includes security fixes to the net/http package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/x509, net/http, net/netip, and os packages. Refs bsc#1212475 go1.21 release tracking CVE-2024-24791 * go#68199 go#67555 bsc#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways * go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds * go#67426 cmd/link: need to handle new-style loong64 relocs * go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders * go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0 * go#67933 net: go DNS resolver fails to connect to local DNS server * go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure * go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N) Wed Jun 5 19:13:50 2024 - Jeff Kowalczyk <jkowalczyk@suse.com> - Update to version 1.21.11.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.11-1-openssl-fips. Refs jsc#SLE-18320 * Update to go1.21.11 - go1.21.11 (released 2024-06-04) includes security fixes to the archive/zip and net/netip packages, as well as bug fixes to the compiler, the go command, the runtime, and the os package. Refs bsc#1212475 go1.21 release tracking CVE-2024-24789 CVE-2024-24790 * go#67553 go#66869 bsc#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations * go#67681 go#67680 bsc#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses * go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag * go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64 * go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes * go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21' * go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally * go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections * go#67695 os: RemoveAll susceptible to symlink race Wed May 22 13:12:33 2024 - Jeff Kowalczyk <jkowalczyk@suse.com> - Update to version 1.21.10.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.10-1-openssl-fips. Refs jsc#SLE-18320 * Update to go1.21.10 * backport of fix linkage in RHEL builds to go1.21 * Skip broken PKCS overlong message test - go1.21.10 (released 2024-05-07) includes security fixes to the go command, as well as bug fixes to the net/http package. Refs bsc#1212475 go1.21 release tracking CVE-2024-24787 * go#67121 go#67119 bsc#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin * go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 - Update to version 1.21.9.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.9-1-openssl-fips. Refs jsc#SLE-18320 * Update to go1.21.9 - go1.21.9 (released 2024-04-03) includes a security fix to the net/http package, as well as bug fixes to the linker, and the go/types and net/http packages. Refs bsc#1212475 go1.21 release tracking CVE-2023-45288 * go#65387 go#65051 bsc#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers * go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock * go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21 * go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le go1.21-openssl