go1.21 release tracking go1.22 release tracking VUL-0: CVE-2024-24806: libuv: libuv: Improper Domain Lookup that potentially leads to SSRF attacks go1.20,go1.21,go1.22: ensure VERSION file is present in go1.x toolchain GOROOT VUL-0: CVE-2024-21892: nodejs18,nodejs20,nodejs21: Code injection and privilege escalation through Linux capabilities VUL-0: CVE-2024-22019: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals VUL-0: CVE-2024-22017: nodejs20: setuid() does not drop all privileges due to io_uring VUL-0: CVE-2023-46809: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) VUL-0: CVE-2024-21891: nodejs20: Multiple permission model bypasses due to improper path traversal sequence sanitization VUL-0: CVE-2024-21890: nodejs20: Improper handling of wildcards in --allow-fs-read and --allow-fs-write VUL-0: CVE-2024-22025: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Denial of Service by resource exhaustion in fetch() brotli decoding VUL-0: CVE-2024-24758: nodejs16,nodejs18,nodejs20: ignore proxy-authorization header VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation VUL-0: CVE-2024-30260: nodejs, nodejs-electron: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline VUL-0: CVE-2024-30261: nodejs: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin VUL-0: CVE-2024-24788: go1.22: net: malformed DNS message can cause infinite loop VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980 VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths VUL-0: CVE-2024-6655: gtk2,gtk3,gtk4: library injection from current working directory go1.23 release tracking VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse golang-github-prometheus-promu: build failure for s390x when moving to go1.23 jfkw important security

Security update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20

This update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20 fixes the following issues: go: - Update to current stable go1.23 go1.19: - Use %patch -P N instead of deprecated %patchN. go1.20: - Packaging improvements: * Use %patch -P N instead of deprecated %patchN - Packaging improvements: * bsc#1219988 ensure VERSION file is present in GOROOT as required by go tool dist and go tool distpack go1.21: - go1.21.13 (released 2024-08-06) go1.22: - go1.22.7 (released 2024-09-05) go1.23: - go1.23.1 (released 2024-09-05) gtk2: - CVE-2024-6655 Stop looking for modules in cwd (bsc#1228120). nodejs20: - Update to 20.15.1 golang-github-prometheus-promu: - Require Go 1.21 for building - Update to version 0.16.0 go go1.19 go1.20 go1.21 go1.22 go1.23 golang-github-prometheus-promu gtk2 nodejs20