Описание
Security update for go1.16
This update for go1.16 fixes the following issues:
- go1.16.2 (released 2021-03-11) (bsc#1182345)
- go1.16.1 (released 2021-03-10) (bsc#1182345)
- CVE-2021-27918: Fixed an infinite loop when using xml.NewTokenDecoder with a custom TokenReader (bsc#1183333).
- CVE-2021-27919: Fixed an issue where archive/zip: can panic when calling Reader.Open (bsc#1183334).
Список пакетов
Container bci/golang:1.16
go1.16-1.16.2-1.8.1
Container trento/trento-runner:latest
go1.16-1.16.2-1.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP2
go1.16-1.16.2-1.8.1
go1.16-doc-1.16.2-1.8.1
go1.16-race-1.16.2-1.8.1
Ссылки
- Link for SUSE-SU-2021:0937-1
- E-Mail link for SUSE-SU-2021:0937-1
- SUSE Security Ratings
- SUSE Bug 1182345
- SUSE Bug 1183333
- SUSE Bug 1183334
- SUSE CVE CVE-2021-27918 page
- SUSE CVE CVE-2021-27919 page
Описание
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.2-1.8.1
Container trento/trento-runner:latest:go1.16-1.16.2-1.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.2-1.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.2-1.8.1
Ссылки
- CVE-2021-27918
- SUSE Bug 1183333
Описание
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Затронутые продукты
Container bci/golang:1.16:go1.16-1.16.2-1.8.1
Container trento/trento-runner:latest:go1.16-1.16.2-1.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.2-1.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.2-1.8.1
Ссылки
- CVE-2021-27919
- SUSE Bug 1183334