143 lines
8.5 KiB
Plaintext
143 lines
8.5 KiB
Plaintext
<patchinfo>
|
|
<!-- generated from request(s) 349644 -->
|
|
<issue tracker="bnc" id="1212475">go1.21 release tracking</issue>
|
|
<issue tracker="bnc" id="1220999">VUL-0: CVE-2024-24783 go1.21,go1.22: crypto/x509: Verify panics on certificates with an unknown public key algorithm</issue>
|
|
<issue tracker="bnc" id="1221000">VUL-0: CVE-2023-45289 go1.21,go1.22: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect</issue>
|
|
<issue tracker="bnc" id="1221001">VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.ParseMultipartForm</issue>
|
|
<issue tracker="bnc" id="1221002">VUL-0: CVE-2024-24784 go1.21,go1.22: net/mail: comments in display names are incorrectly handled</issue>
|
|
<issue tracker="bnc" id="1221003">VUL-0: CVE-2024-24785 go1.21,go1.22: html/template: errors returned from MarshalJSON methods may break template escaping</issue>
|
|
<issue tracker="bnc" id="1221400">VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers</issue>
|
|
<issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>
|
|
<issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>
|
|
<issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>
|
|
<issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>
|
|
<issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>
|
|
<issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>
|
|
<issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>
|
|
<issue tracker="cve" id="2023-45288"/>
|
|
<issue tracker="cve" id="2023-45289"/>
|
|
<issue tracker="cve" id="2023-45290"/>
|
|
<issue tracker="cve" id="2024-24783"/>
|
|
<issue tracker="cve" id="2024-24784"/>
|
|
<issue tracker="cve" id="2024-24785"/>
|
|
<issue tracker="cve" id="2024-24787"/>
|
|
<issue tracker="cve" id="2024-24789"/>
|
|
<issue tracker="cve" id="2024-24790"/>
|
|
<issue tracker="cve" id="2024-24791"/>
|
|
<issue tracker="cve" id="2024-34155"/>
|
|
<issue tracker="cve" id="2024-34156"/>
|
|
<issue tracker="cve" id="2024-34158"/>
|
|
<issue tracker="jsc" id="SLE-18320"/>
|
|
<packager>jfkw</packager>
|
|
<rating>moderate</rating>
|
|
<category>security</category>
|
|
<summary>Security update for go1.21-openssl</summary>
|
|
<description>This update for go1.21-openssl fixes the following issues:
|
|
|
|
- Packaging improvements:
|
|
Refs jsc#SLE-18320
|
|
* Iterate over all patches in the upstream patch set.
|
|
|
|
- Update to version 1.21.13.4 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.13-4-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Update update initial openssl patch to reflect the previous
|
|
update (1.21.13.2) to the openssl bindings
|
|
|
|
- Update to version 1.21.13.3 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.13-3-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Backport CVE fixes from Go 1.22.7 (#230)
|
|
Upstream creates backports since go1.23-openssl not yet branched
|
|
* go#69142 go#69138 bsc#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists
|
|
* go#69144 go#69139 bsc#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth
|
|
* go#69148 go#69141 bsc#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits
|
|
|
|
- Update to version 1.21.13.2 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.13-2-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Fast forward golang-fips/openssl to latest v1 (#225)
|
|
|
|
- Update to version 1.21.13.1 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.13-1-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Update to go1.21.13
|
|
|
|
- go1.21.13 (released 2024-08-06) includes fixes to the go command,
|
|
the covdata command, and the bytes package.
|
|
Refs bsc#1212475 go1.21 release tracking
|
|
* go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
|
|
* go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
|
|
* go#68221 cmd/go: list with -export and -covermode=atomic fails to build
|
|
|
|
- go1.21.12 (released 2024-07-02) includes security fixes to the
|
|
net/http package, as well as bug fixes to the compiler, the go
|
|
command, the runtime, and the crypto/x509, net/http, net/netip,
|
|
and os packages.
|
|
Refs bsc#1212475 go1.21 release tracking
|
|
CVE-2024-24791
|
|
* go#68199 go#67555 bsc#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
|
|
* go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
|
|
* go#67426 cmd/link: need to handle new-style loong64 relocs
|
|
* go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
|
|
* go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
|
|
* go#67933 net: go DNS resolver fails to connect to local DNS server
|
|
* go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
|
|
* go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
|
|
|
|
Wed Jun 5 19:13:50 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
- Update to version 1.21.11.1 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.11-1-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Update to go1.21.11
|
|
|
|
- go1.21.11 (released 2024-06-04) includes security fixes to the
|
|
archive/zip and net/netip packages, as well as bug fixes to the
|
|
compiler, the go command, the runtime, and the os package.
|
|
Refs bsc#1212475 go1.21 release tracking
|
|
CVE-2024-24789 CVE-2024-24790
|
|
* go#67553 go#66869 bsc#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
|
|
* go#67681 go#67680 bsc#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
|
|
* go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
|
|
* go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
|
|
* go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
|
|
* go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
|
|
* go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
|
|
* go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
|
|
* go#67695 os: RemoveAll susceptible to symlink race
|
|
|
|
Wed May 22 13:12:33 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
- Update to version 1.21.10.1 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.10-1-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Update to go1.21.10
|
|
* backport of fix linkage in RHEL builds to go1.21
|
|
* Skip broken PKCS overlong message test
|
|
|
|
- go1.21.10 (released 2024-05-07) includes security fixes to the go
|
|
command, as well as bug fixes to the net/http package.
|
|
Refs bsc#1212475 go1.21 release tracking
|
|
CVE-2024-24787
|
|
* go#67121 go#67119 bsc#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
|
|
* go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0
|
|
|
|
- Update to version 1.21.9.1 cut from the go1.21-fips-release
|
|
branch at the revision tagged go1.21.9-1-openssl-fips.
|
|
Refs jsc#SLE-18320
|
|
* Update to go1.21.9
|
|
|
|
- go1.21.9 (released 2024-04-03) includes a security fix to the
|
|
net/http package, as well as bug fixes to the linker, and the
|
|
go/types and net/http packages.
|
|
Refs bsc#1212475 go1.21 release tracking
|
|
CVE-2023-45288
|
|
* go#65387 go#65051 bsc#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
|
|
* go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
|
|
* go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
|
|
* go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le
|
|
|
|
</description>
|
|
<package>go1.21-openssl</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo>
|