Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:2004-1

Опубликовано: 07 июн. 2022
Источник: suse-cvrf

Описание

Security update for go1.17

This update for go1.17 fixes the following issues:

Update to go1.17.11 (released 2022-06-01) (bsc#1190649):

  • CVE-2022-30634: Fixed crypto/rand rand.Read hangs with extremely large buffers (bsc#1200134).
  • CVE-2022-30629: Fixed crypto/tls session tickets lack random ticket_age_add (bsc#1200135).
  • CVE-2022-29804: Fixed path/filepath Clean(.\c:) returns c: on Windows (bsc#1200137).
  • CVE-2022-30580: Fixed os/exec empty Cmd.Path can result in running unintended binary on Windows (bsc#1200136).

Список пакетов

Container bci/golang:1.17
go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3
go1.17-1.17.11-150000.1.37.1
go1.17-doc-1.17.11-150000.1.37.1
go1.17-race-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP4
go1.17-1.17.11-150000.1.37.1
go1.17-doc-1.17.11-150000.1.37.1
go1.17-race-1.17.11-150000.1.37.1
openSUSE Leap 15.3
go1.17-1.17.11-150000.1.37.1
go1.17-doc-1.17.11-150000.1.37.1
go1.17-race-1.17.11-150000.1.37.1
openSUSE Leap 15.4
go1.17-1.17.11-150000.1.37.1
go1.17-doc-1.17.11-150000.1.37.1
go1.17-race-1.17.11-150000.1.37.1

Ссылки

Описание

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

Затронутые продукты
Container bci/golang:1.17:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-doc-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-race-1.17.11-150000.1.37.1
Ссылки

Описание

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Затронутые продукты
Container bci/golang:1.17:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-doc-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-race-1.17.11-150000.1.37.1
Ссылки

Описание

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

Затронутые продукты
Container bci/golang:1.17:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-doc-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-race-1.17.11-150000.1.37.1
Ссылки

Описание

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

Затронутые продукты
Container bci/golang:1.17:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-doc-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.17-race-1.17.11-150000.1.37.1
Ссылки
Уязвимость SUSE-SU-2022:2004-1