diff --git a/patchinfo.20250206145338162251.90520734224245/_patchinfo b/patchinfo.20250206145338162251.90520734224245/_patchinfo new file mode 100644 index 0000000..938bbfb --- /dev/null +++ b/patchinfo.20250206145338162251.90520734224245/_patchinfo @@ -0,0 +1,35 @@ + + + go1.22 release tracking + VUL-0: CVE-2024-45341: go1.22,go1.23: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints + VUL-0: CVE-2024-45336: go1.22,go1.23: net/http: sensitive headers incorrectly sent after cross-domain redirect + VUL-0: CVE-2025-22866 go1.22,go1.23,go1.24: crypto/elliptic: timing sidechannel for P-256 on ppc64le + + + + jfkw + moderate + security + Security update for go1.22 + This update for go1.22 fixes the following issues: + +- go1.22.12 (released 2025-02-04) includes security fixes to the + crypto/elliptic package, as well as bug fixes to the compiler and + the go command. (bsc#1218424) + + * CVE-2025-22866: crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le (bsc#1236801) + * cmd/go/internal/modfetch/codehost: test fails with git 2.47.1 + * cmd/compile: broken write barrier + +- go1.22.11 (released 2025-01-16) includes security fixes to the + crypto/x509 and net/http packages, as well as bug fixes to the + runtime. (bsc#1218424) + + * CVE-2024-45341: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints (bsc#1236045) + * CVE-2024-45336: net/http: sensitive headers incorrectly sent after cross-domain redirect (bsc#1236046) + * crypto/tls: TestVerifyConnection/TLSv12 failures + * internal/trace: TestTraceCPUProfile/Stress failures + + go1.22 + +