89 lines
5.4 KiB
Plaintext
89 lines
5.4 KiB
Plaintext
<patchinfo incident="9">
|
|
<!-- generated from request(s) 359003 -->
|
|
<issue tracker="bnc" id="1229122">go1.23 release tracking</issue>
|
|
<issue tracker="bnc" id="1236045">VUL-0: CVE-2024-45341: go1.22,go1.23: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints</issue>
|
|
<issue tracker="bnc" id="1236046">VUL-0: CVE-2024-45336: go1.22,go1.23: net/http: sensitive headers incorrectly sent after cross-domain redirect</issue>
|
|
<issue tracker="cve" id="2024-45336"/>
|
|
<issue tracker="cve" id="2024-45341"/>
|
|
<packager>jfkw</packager>
|
|
<rating>moderate</rating>
|
|
<category>security</category>
|
|
<summary>Security update for go1.23</summary>
|
|
<description>This update for go1.23 fixes the following issues:
|
|
|
|
- go1.23.5 (released 2025-01-16) includes security fixes to the
|
|
crypto/x509 and net/http packages, as well as bug fixes to the
|
|
compiler, the runtime, and the net package.
|
|
Refs bsc#1229122 go1.23 release tracking
|
|
CVE-2024-45341 CVE-2024-45336
|
|
* go#71208 go#71156 bsc#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
|
|
* go#71211 go#70530 bsc#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect
|
|
* go#69988 runtime: severe performance drop for cgo calls in go1.22.5
|
|
* go#70517 cmd/compile/internal/importer: flip enable alias to true
|
|
* go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input
|
|
* go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures
|
|
* go#71147 internal/trace: TestTraceCPUProfile/Stress failures
|
|
|
|
- Enable loongarch64 builds
|
|
|
|
- go1.23.4 (released 2024-12-03) includes fixes to the compiler,
|
|
the runtime, the trace command, and the syscall package.
|
|
Refs bsc#1229122 go1.23 release tracking
|
|
* go#70644 crypto/rsa: new key generation prohibitively slow under race detector
|
|
* go#70645 proposal: go/types: add Scope.Node convenience getter
|
|
* go#70646 x/tools/gopls: unimported completion corrupts import decl (client=BBEdit)
|
|
* go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures
|
|
* go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures
|
|
* go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures
|
|
* go#70651 x/tools/go/gcexportdata: simplify implementation assuming go >= 1.21
|
|
* go#70654 cmd/go: Incorrect output from go list
|
|
* go#70655 x/build/cmd/relui: add workflows for some remaining manual recurring Go major release cycle tasks
|
|
* go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes
|
|
* go#70658 x/net/http2: stuck extended CONNECT requests
|
|
* go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-mips
|
|
* go#70660 crypto/ecdsa: TestRFC6979 failures on s390x
|
|
* go#70664 x/mobile: target maccatalyst cannot find OpenGLES header
|
|
* go#70665 x/tools/gopls: refactor.extract.variable fails at package level
|
|
* go#70666 x/tools/gopls: panic in GetIfaceStubInfo
|
|
* go#70667 proposal: crypto/x509: support extracting X25519 public keys from certificates
|
|
* go#70668 proposal: x/mobile: better support for unrecovered panics
|
|
* go#70669 cmd/go: local failure in TestScript/build_trimpath_cgo
|
|
* go#70670 cmd/link: unused functions aren't getting deadcoded from the binary
|
|
* go#70674 x/pkgsite: package removal request for https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate
|
|
* go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on plan9
|
|
* go#70677 all: remote file server I/O flakiness with "Bad fid" errors on plan9
|
|
* go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD is closed
|
|
* go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link
|
|
|
|
- go1.23.3 (released 2024-11-06) includes fixes to the linker, the
|
|
runtime, and the net/http, os, and syscall packages.
|
|
Refs bsc#1229122 go1.23 release tracking
|
|
* go#69258 runtime: corrupted GoroutineProfile stack traces
|
|
* go#69259 runtime: multi-arch build via qemu fails to exec go binary
|
|
* go#69640 os: os.checkPidfd() crashes with SIGSYS
|
|
* go#69746 runtime: TestGdbAutotmpTypes failures
|
|
* go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit
|
|
* go#69865 runtime: MutexProfile missing root frames in go1.23
|
|
* go#69882 time,runtime: too many concurrent timer firings for short time.Ticker
|
|
* go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer
|
|
* go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15
|
|
* go#70001 net/http/pprof: coroutines + pprof makes the program panic
|
|
* go#70020 net/http: short writes with FileServer on macos
|
|
|
|
- go1.23.2 (released 2024-10-01) includes fixes to the compiler,
|
|
cgo, the runtime, and the maps, os, os/exec, time, and unique
|
|
packages.
|
|
Refs bsc#1229122 go1.23 release tracking
|
|
* go#69119 os: double close pidfd if caller uses pidfd updated by os.StartProcess
|
|
* go#69156 maps: segmentation violation in maps.Clone
|
|
* go#69219 cmd/cgo: alignment issue with int128 inside of a struct
|
|
* go#69240 unique: fatal error: found pointer to free object
|
|
* go#69333 runtime,time: timer.Stop returns false even when no value is read from the channel
|
|
* go#69383 unique: large string still referenced, after interning only a small substring
|
|
* go#69402 os/exec: resource leak on exec failure
|
|
* go#69511 cmd/compile: mysterious crashes and non-determinism with range over func
|
|
|
|
</description>
|
|
<package>go1.23</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |