116 lines
7.4 KiB
Plaintext
116 lines
7.4 KiB
Plaintext
<patchinfo incident="53">
|
|
<!-- generated from request(s) 344504, 344209, 344210, 344211, 344217, 344239, 339640, 339518, 345836 -->
|
|
<issue tracker="bnc" id="1212475">go1.21 release tracking</issue>
|
|
<issue tracker="bnc" id="1218424">go1.22 release tracking</issue>
|
|
<issue tracker="bnc" id="1219724">VUL-0: CVE-2024-24806: libuv: libuv: Improper Domain Lookup that potentially leads to SSRF attacks</issue>
|
|
<issue tracker="bnc" id="1219988">go1.20,go1.21,go1.22: ensure VERSION file is present in go1.x toolchain GOROOT</issue>
|
|
<issue tracker="bnc" id="1219992">VUL-0: CVE-2024-21892: nodejs18,nodejs20,nodejs21: Code injection and privilege escalation through Linux capabilities</issue>
|
|
<issue tracker="bnc" id="1219993">VUL-0: CVE-2024-22019: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks</issue>
|
|
<issue tracker="bnc" id="1219994">VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals</issue>
|
|
<issue tracker="bnc" id="1219995">VUL-0: CVE-2024-22017: nodejs20: setuid() does not drop all privileges due to io_uring</issue>
|
|
<issue tracker="bnc" id="1219997">VUL-0: CVE-2023-46809: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)</issue>
|
|
<issue tracker="bnc" id="1219998">VUL-0: CVE-2024-21891: nodejs20: Multiple permission model bypasses due to improper path traversal sequence sanitization</issue>
|
|
<issue tracker="bnc" id="1219999">VUL-0: CVE-2024-21890: nodejs20: Improper handling of wildcards in --allow-fs-read and --allow-fs-write</issue>
|
|
<issue tracker="bnc" id="1220014">VUL-0: CVE-2024-22025: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs4,nodejs6,nodejs8: Denial of Service by resource exhaustion in fetch() brotli decoding</issue>
|
|
<issue tracker="bnc" id="1220017">VUL-0: CVE-2024-24758: nodejs16,nodejs18,nodejs20: ignore proxy-authorization header</issue>
|
|
<issue tracker="bnc" id="1220053">VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks</issue>
|
|
<issue tracker="bnc" id="1222244">VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks</issue>
|
|
<issue tracker="bnc" id="1222384">VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation</issue>
|
|
<issue tracker="bnc" id="1222530">VUL-0: CVE-2024-30260: nodejs, nodejs-electron: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline</issue>
|
|
<issue tracker="bnc" id="1222603">VUL-0: CVE-2024-30261: nodejs: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect</issue>
|
|
<issue tracker="bnc" id="1224017">VUL-0: CVE-2024-24787: go1.21,go1.22: cmd/go: arbitrary code execution during build on darwin</issue>
|
|
<issue tracker="bnc" id="1224018">VUL-0: CVE-2024-24788: go1.22: net: malformed DNS message can cause infinite loop</issue>
|
|
<issue tracker="bnc" id="1225973">VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record</issue>
|
|
<issue tracker="bnc" id="1225974">VUL-0: CVE-2024-24790: go1.21,go1.22: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses</issue>
|
|
<issue tracker="bnc" id="1227314">VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling</issue>
|
|
<issue tracker="bnc" id="1227554">VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL</issue>
|
|
<issue tracker="bnc" id="1227560">VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980</issue>
|
|
<issue tracker="bnc" id="1227561">VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model</issue>
|
|
<issue tracker="bnc" id="1227562">VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model</issue>
|
|
<issue tracker="bnc" id="1227563">VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths</issue>
|
|
<issue tracker="bnc" id="1228120">VUL-0: CVE-2024-6655: gtk2,gtk3,gtk4: library injection from current working directory</issue>
|
|
<issue tracker="bnc" id="1229122">go1.23 release tracking</issue>
|
|
<issue tracker="bnc" id="1230252">VUL-0: CVE-2024-34155: go1.22,go1.23: go/parser: stack exhaustion in all Parse* functions</issue>
|
|
<issue tracker="bnc" id="1230253">VUL-0: CVE-2024-34156: go1.22,go1.23: encoding/gob: stack exhaustion in Decoder.Decode</issue>
|
|
<issue tracker="bnc" id="1230254">VUL-0: CVE-2024-34158: go1.22,go1.23: go/build/constraint: stack exhaustion in Parse</issue>
|
|
<issue tracker="bnc" id="1230623">golang-github-prometheus-promu: build failure for s390x when moving to go1.23</issue>
|
|
<issue tracker="cve" id="2023-46809"/>
|
|
<issue tracker="cve" id="2024-6655"/>
|
|
<issue tracker="cve" id="2024-21890"/>
|
|
<issue tracker="cve" id="2024-21891"/>
|
|
<issue tracker="cve" id="2024-21892"/>
|
|
<issue tracker="cve" id="2024-21896"/>
|
|
<issue tracker="cve" id="2024-22017"/>
|
|
<issue tracker="cve" id="2024-22018"/>
|
|
<issue tracker="cve" id="2024-22019"/>
|
|
<issue tracker="cve" id="2024-22020"/>
|
|
<issue tracker="cve" id="2024-22025"/>
|
|
<issue tracker="cve" id="2024-24758"/>
|
|
<issue tracker="cve" id="2024-24787"/>
|
|
<issue tracker="cve" id="2024-24788"/>
|
|
<issue tracker="cve" id="2024-24789"/>
|
|
<issue tracker="cve" id="2024-24790"/>
|
|
<issue tracker="cve" id="2024-24791"/>
|
|
<issue tracker="cve" id="2024-24806"/>
|
|
<issue tracker="cve" id="2024-27980"/>
|
|
<issue tracker="cve" id="2024-27982"/>
|
|
<issue tracker="cve" id="2024-27983"/>
|
|
<issue tracker="cve" id="2024-30260"/>
|
|
<issue tracker="cve" id="2024-30261"/>
|
|
<issue tracker="cve" id="2024-34155"/>
|
|
<issue tracker="cve" id="2024-34156"/>
|
|
<issue tracker="cve" id="2024-34158"/>
|
|
<issue tracker="cve" id="2024-36137"/>
|
|
<issue tracker="cve" id="2024-36138"/>
|
|
<issue tracker="cve" id="2024-37372"/>
|
|
<issue tracker="jsc" id="PED-3576"/>
|
|
<packager>jfkw</packager>
|
|
<rating>important</rating>
|
|
<category>security</category>
|
|
<summary>Security update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20</summary>
|
|
<description>This update for go1.20, go1.21, go1.23, golang-github-prometheus-promu, go1.19, go1.22, gtk2, go, nodejs20 fixes the following issues:
|
|
|
|
go:
|
|
- Update to current stable go1.23
|
|
|
|
go1.19:
|
|
- Use %patch -P N instead of deprecated %patchN.
|
|
|
|
go1.20:
|
|
- Packaging improvements:
|
|
* Use %patch -P N instead of deprecated %patchN
|
|
|
|
- Packaging improvements:
|
|
* bsc#1219988 ensure VERSION file is present in GOROOT
|
|
as required by go tool dist and go tool distpack
|
|
|
|
go1.21:
|
|
- go1.21.13 (released 2024-08-06)
|
|
|
|
go1.22:
|
|
- go1.22.7 (released 2024-09-05)
|
|
|
|
go1.23:
|
|
- go1.23.1 (released 2024-09-05)
|
|
|
|
gtk2:
|
|
- CVE-2024-6655 Stop looking for modules in cwd (bsc#1228120).
|
|
|
|
nodejs20:
|
|
- Update to 20.15.1
|
|
|
|
golang-github-prometheus-promu:
|
|
- Require Go 1.21 for building
|
|
- Update to version 0.16.0
|
|
</description>
|
|
<package>go</package>
|
|
<package>go1.19</package>
|
|
<package>go1.20</package>
|
|
<package>go1.21</package>
|
|
<package>go1.22</package>
|
|
<package>go1.23</package>
|
|
<package>golang-github-prometheus-promu</package>
|
|
<package>gtk2</package>
|
|
<package>nodejs20</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |