SUSE_ALP_Standard/patchinfo.20240912094229839720.269002615871826/_patchinfo

<patchinfo incident="53">
  <!-- generated from request(s) 344504, 344209, 344210, 344211, 344217, 344239, 339640, 339518, 345836 -->
  <issue tracker="bnc" id="1212475">go1.21 release tracking</issue>
  <issue tracker="bnc" id="1218424">go1.22 release tracking</issue>
  <issue tracker="bnc" id="1219724">VUL-0: CVE-2024-24806: libuv: libuv: Improper Domain Lookup that potentially leads to SSRF attacks</issue>
  <issue tracker="bnc" id="1219988">go1.20,go1.21,go1.22: ensure VERSION file is present in go1.x toolchain GOROOT</issue>
  <issue tracker="bnc" id="1219992">VUL-0: CVE-2024-21892: nodejs18,nodejs20,nodejs21: Code injection and privilege escalation through Linux capabilities</issue>
  <issue tracker="bnc" id="1219993">VUL-0: CVE-2024-22019: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks</issue>
  <issue tracker="bnc" id="1219994">VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals</issue>
  <issue tracker="bnc" id="1219995">VUL-0: CVE-2024-22017: nodejs20: setuid() does not drop all privileges due to io_uring</issue>
  <issue tracker="bnc" id="1219997">VUL-0: CVE-2023-46809: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)</issue>
  <issue tracker="bnc" id="1219998">VUL-0: CVE-2024-21891: nodejs20: Multiple permission model bypasses due to improper path traversal sequence sanitization</issue>
  <issue tracker="bnc" id="1219999">VUL-0: CVE-2024-21890: nodejs20: Improper handling of wildcards in --allow-fs-read and --allow-fs-write</issue>
  <issue tracker="bnc" id="1220014">VUL-0: CVE-2024-22025: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Denial of Service by resource exhaustion in fetch() brotli decoding</issue>
  <issue tracker="bnc" id="1220017">VUL-0: CVE-2024-24758: nodejs16,nodejs18,nodejs20: ignore proxy-authorization header</issue>
  <issue tracker="bnc" id="1220053">VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks</issue>
  <issue tracker="bnc" id="1222244">VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks</issue>
  <issue tracker="bnc" id="1222384">VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation</issue>
  <issue tracker="bnc" id="1222530">VUL-0: CVE-2024-30260: nodejs, nodejs-electron: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline</issue>
  <issue tracker="bnc" id="1222603">VUL-0: CVE-2024-30261: nodejs: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect</issue>
  <issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>
  <issue tracker="bnc" id="1224018">VUL-0: CVE-2024-24788: go1.22: net: malformed DNS message can cause infinite loop</issue>
  <issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>
  <issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>
  <issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>
  <issue tracker="bnc" id="1227554">VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL</issue>
  <issue tracker="bnc" id="1227560">VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980</issue>
  <issue tracker="bnc" id="1227561">VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model</issue>
  <issue tracker="bnc" id="1227562">VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model</issue>
  <issue tracker="bnc" id="1227563">VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths</issue>
  <issue tracker="bnc" id="1228120">VUL-0: CVE-2024-6655: gtk2,gtk3,gtk4: library injection from current working directory</issue>
  <issue tracker="bnc" id="1229122">go1.23 release tracking</issue>
  <issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>
  <issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>
  <issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>
  <issue tracker="bnc" id="1230623">golang-github-prometheus-promu: build failure for s390x when moving to go1.23</issue>
  <issue tracker="cve" id="2023-46809"/>
  <issue tracker="cve" id="2024-6655"/>
  <issue tracker="cve" id="2024-21890"/>
  <issue tracker="cve" id="2024-21891"/>
  <issue tracker="cve" id="2024-21892"/>
  <issue tracker="cve" id="2024-21896"/>
  <issue tracker="cve" id="2024-22017"/>
  <issue tracker="cve" id="2024-22018"/>
  <issue tracker="cve" id="2024-22019"/>
  <issue tracker="cve" id="2024-22020"/>
  <issue tracker="cve" id="2024-22025"/>
  <issue tracker="cve" id="2024-24758"/>
  <issue tracker="cve" id="2024-24787"/>
  <issue tracker="cve" id="2024-24788"/>
  <issue tracker="cve" id="2024-24789"/>
  <issue tracker="cve" id="2024-24790"/>
  <issue tracker="cve" id="2024-24791"/>
  <issue tracker="cve" id="2024-24806"/>
  <issue tracker="cve" id="2024-27980"/>
  <issue tracker="cve" id="2024-27982"/>
  <issue tracker="cve" id="2024-27983"/>
  <issue tracker="cve" id="2024-30260"/>
  <issue tracker="cve" id="2024-30261"/>
  <issue tracker="cve" id="2024-34155"/>
  <issue tracker="cve" id="2024-34156"/>
  <issue tracker="cve" id="2024-34158"/>
  <issue tracker="cve" id="2024-36137"/>
  <issue tracker="cve" id="2024-36138"/>
  <issue tracker="cve" id="2024-37372"/>
  <issue tracker="jsc" id="PED-3576"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20</summary>
  <description>This update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20 fixes the following issues:

go:
  - Update to current stable go1.23

go1.19:
  - Use %patch -P N instead of deprecated %patchN.

go1.20:
  - Packaging improvements:
    * Use %patch -P N instead of deprecated %patchN

  - Packaging improvements:
    * bsc#1219988 ensure VERSION file is present in GOROOT
      as required by go tool dist and go tool distpack

go1.21:
  - go1.21.13 (released 2024-08-06) 

go1.22:
  - go1.22.7 (released 2024-09-05)

go1.23:
  - go1.23.1 (released 2024-09-05) 
  
gtk2:
  - CVE-2024-6655 Stop looking for modules in cwd (bsc#1228120).

nodejs20:
  - Update to 20.15.1

golang-github-prometheus-promu:
  - Require Go 1.21 for building
  - Update to version 0.16.0
</description>
  <package>go</package>
  <package>go1.19</package>
  <package>go1.20</package>
  <package>go1.21</package>
  <package>go1.22</package>
  <package>go1.23</package>
  <package>golang-github-prometheus-promu</package>
  <package>gtk2</package>
  <package>nodejs20</package>
  <seperate_build_arch/>
</patchinfo>
Update incident numbers 2024-10-01 13:58:16 +02:00			`<patchinfo incident="53">`
Adding patchinfo patchinfo.20240912094229839720.269002615871826 2024-09-25 16:05:10 +02:00			`<!-- generated from request(s) 344504, 344209, 344210, 344211, 344217, 344239, 339640, 339518, 345836 -->`
			`<issue tracker="bnc" id="1212475">go1.21 release tracking</issue>`
			`<issue tracker="bnc" id="1218424">go1.22 release tracking</issue>`
			`<issue tracker="bnc" id="1219724">VUL-0: CVE-2024-24806: libuv: libuv: Improper Domain Lookup that potentially leads to SSRF attacks</issue>`
			`<issue tracker="bnc" id="1219988">go1.20,go1.21,go1.22: ensure VERSION file is present in go1.x toolchain GOROOT</issue>`
			`<issue tracker="bnc" id="1219992">VUL-0: CVE-2024-21892: nodejs18,nodejs20,nodejs21: Code injection and privilege escalation through Linux capabilities</issue>`
			`<issue tracker="bnc" id="1219993">VUL-0: CVE-2024-22019: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks</issue>`
			`<issue tracker="bnc" id="1219994">VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals</issue>`
			`<issue tracker="bnc" id="1219995">VUL-0: CVE-2024-22017: nodejs20: setuid() does not drop all privileges due to io_uring</issue>`
			`<issue tracker="bnc" id="1219997">VUL-0: CVE-2023-46809: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)</issue>`
			`<issue tracker="bnc" id="1219998">VUL-0: CVE-2024-21891: nodejs20: Multiple permission model bypasses due to improper path traversal sequence sanitization</issue>`
			`<issue tracker="bnc" id="1219999">VUL-0: CVE-2024-21890: nodejs20: Improper handling of wildcards in --allow-fs-read and --allow-fs-write</issue>`
			`<issue tracker="bnc" id="1220014">VUL-0: CVE-2024-22025: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Denial of Service by resource exhaustion in fetch() brotli decoding</issue>`
			`<issue tracker="bnc" id="1220017">VUL-0: CVE-2024-24758: nodejs16,nodejs18,nodejs20: ignore proxy-authorization header</issue>`
			`<issue tracker="bnc" id="1220053">VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks</issue>`
			`<issue tracker="bnc" id="1222244">VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks</issue>`
			`<issue tracker="bnc" id="1222384">VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation</issue>`
			`<issue tracker="bnc" id="1222530">VUL-0: CVE-2024-30260: nodejs, nodejs-electron: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline</issue>`
			`<issue tracker="bnc" id="1222603">VUL-0: CVE-2024-30261: nodejs: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect</issue>`
			`<issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>`
			`<issue tracker="bnc" id="1224018">VUL-0: CVE-2024-24788: go1.22: net: malformed DNS message can cause infinite loop</issue>`
			`<issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>`
			`<issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>`
			`<issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>`
			`<issue tracker="bnc" id="1227554">VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL</issue>`
			`<issue tracker="bnc" id="1227560">VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980</issue>`
			`<issue tracker="bnc" id="1227561">VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model</issue>`
			`<issue tracker="bnc" id="1227562">VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model</issue>`
			`<issue tracker="bnc" id="1227563">VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths</issue>`
			`<issue tracker="bnc" id="1228120">VUL-0: CVE-2024-6655: gtk2,gtk3,gtk4: library injection from current working directory</issue>`
			`<issue tracker="bnc" id="1229122">go1.23 release tracking</issue>`
			`<issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>`
			`<issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>`
			`<issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>`
			`<issue tracker="bnc" id="1230623">golang-github-prometheus-promu: build failure for s390x when moving to go1.23</issue>`
			`<issue tracker="cve" id="2023-46809"/>`
			`<issue tracker="cve" id="2024-6655"/>`
			`<issue tracker="cve" id="2024-21890"/>`
			`<issue tracker="cve" id="2024-21891"/>`
			`<issue tracker="cve" id="2024-21892"/>`
			`<issue tracker="cve" id="2024-21896"/>`
			`<issue tracker="cve" id="2024-22017"/>`
			`<issue tracker="cve" id="2024-22018"/>`
			`<issue tracker="cve" id="2024-22019"/>`
			`<issue tracker="cve" id="2024-22020"/>`
			`<issue tracker="cve" id="2024-22025"/>`
			`<issue tracker="cve" id="2024-24758"/>`
			`<issue tracker="cve" id="2024-24787"/>`
			`<issue tracker="cve" id="2024-24788"/>`
			`<issue tracker="cve" id="2024-24789"/>`
			`<issue tracker="cve" id="2024-24790"/>`
			`<issue tracker="cve" id="2024-24791"/>`
			`<issue tracker="cve" id="2024-24806"/>`
			`<issue tracker="cve" id="2024-27980"/>`
			`<issue tracker="cve" id="2024-27982"/>`
			`<issue tracker="cve" id="2024-27983"/>`
			`<issue tracker="cve" id="2024-30260"/>`
			`<issue tracker="cve" id="2024-30261"/>`
			`<issue tracker="cve" id="2024-34155"/>`
			`<issue tracker="cve" id="2024-34156"/>`
			`<issue tracker="cve" id="2024-34158"/>`
			`<issue tracker="cve" id="2024-36137"/>`
			`<issue tracker="cve" id="2024-36138"/>`
			`<issue tracker="cve" id="2024-37372"/>`
			`<issue tracker="jsc" id="PED-3576"/>`
			`<packager>jfkw</packager>`
			`<rating>important</rating>`
			`<category>security</category>`
			`<summary>Security update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20</summary>`
			`<description>This update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20 fixes the following issues:`

			`go:`
			`- Update to current stable go1.23`

			`go1.19:`
			`- Use %patch -P N instead of deprecated %patchN.`

			`go1.20:`
			`- Packaging improvements:`
			`* Use %patch -P N instead of deprecated %patchN`

			`- Packaging improvements:`
			`* bsc#1219988 ensure VERSION file is present in GOROOT`
			`as required by go tool dist and go tool distpack`

			`go1.21:`
			`- go1.21.13 (released 2024-08-06)`

			`go1.22:`
			`- go1.22.7 (released 2024-09-05)`

			`go1.23:`
			`- go1.23.1 (released 2024-09-05)`

			`gtk2:`
			`- CVE-2024-6655 Stop looking for modules in cwd (bsc#1228120).`

			`nodejs20:`
			`- Update to 20.15.1`

			`golang-github-prometheus-promu:`
			`- Require Go 1.21 for building`
			`- Update to version 0.16.0`
			`</description>`
			`<package>go</package>`
			`<package>go1.19</package>`
			`<package>go1.20</package>`
			`<package>go1.21</package>`
			`<package>go1.22</package>`
			`<package>go1.23</package>`
			`<package>golang-github-prometheus-promu</package>`
			`<package>gtk2</package>`
			`<package>nodejs20</package>`
			`<seperate_build_arch/>`
Update incident numbers 2024-10-01 13:58:16 +02:00			`</patchinfo>`