Описание
Security update for go1.18-openssl
This update for go1.18-openssl fixes the following issues:
-
Add subpackage go1.x-libstd compiled shared object libstd.so (jsc#PED-1962)
- Main go1.x package included libstd.so in previous versions
- Split libstd.so into subpackage that can be installed standalone
- Continues the slimming down of main go1.x package by 40 Mb
- Experimental and not recommended for general use, Go currently has no ABI
- Upstream Go has not committed to support buildmode=shared long-term
- Do not use in packaging, build static single binaries (the default)
- Upstream Go go1.x binary releases do not include libstd.so
- go1.x Suggests go1.x-libstd so not installed by default Recommends
- go1.x-libstd does not Require: go1.x so can install standalone
- Provides go-libstd unversioned package name
- Fix build step -buildmode=shared std to omit -linkshared
-
Packaging improvements:
- go1.x Suggests go1.x-doc so not installed by default Recommends
- Use Group: Development/Languages/Go instead of Other
-
Improvements to go1.x packaging spec:
- On Tumbleweed bootstrap with current default gcc13 and gccgo118
- On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap using go1.x package (%bcond_without gccgo). This is no longer needed on current SLE-12:Update and removing will consolidate the build configurations used.
- Change source URLs to go.dev as per Go upstream
- On x86_64 export GOAMD64=v1 as per the current baseline. At this time forgo GOAMD64=v3 option for x86_64_v3 support.
- On x86_64 %define go_amd64=v1 as current instruction baseline
-
Update to version 1.18.10.1 cut from the go1.18-openssl-fips branch at the revision tagged go1.18.10-1-openssl-fips.
- Merge branch dev.boringcrypto.go1.18 into go1.18-openssl-fips
- Merge go1.18.10 into dev.boringcrypto.go1.18
-
go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the linker, and the crypto/x509, net/http, and syscall packages. Refs bsc#1193742 go1.18 release tracking
- go#57705 misc/cgo: backport needed for dlltool fix
- go#57426 crypto/x509: Verify on macOS does not return typed errors
- go#57344 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its 'old' argument.
- go#57338 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
- go#57213 os: TestLstat failure on Linux Aarch64
- go#57211 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
- go#57057 cmd/go: remove test dependency on gopkg.in service
- go#57054 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
- go#57044 cgo: malformed DWARF TagVariable entry
- go#57028 cmd/cgo: Wrong types in compiler errors with clang 14
- go#56833 cmd/link/internal/ppc64: too-far trampoline is reused
- go#56711 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
- go#56323 net/http: bad handling of HEAD requests with a body
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Module for Development Tools 15 SP4
SUSE Linux Enterprise Real Time 15 SP3
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
openSUSE Leap 15.4
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2023:2312-1
- E-Mail link for SUSE-SU-2023:2312-1
- SUSE Security Ratings
- SUSE Bug 1183043
- SUSE Bug 1193742
- SUSE Bug 1198423
- SUSE Bug 1198424
- SUSE Bug 1198427
- SUSE Bug 1199413
- SUSE Bug 1200134
- SUSE Bug 1200135
- SUSE Bug 1200136
- SUSE Bug 1200137
- SUSE Bug 1201434
- SUSE Bug 1201436
- SUSE Bug 1201437
- SUSE Bug 1201440
- SUSE Bug 1201443
- SUSE Bug 1201444
- SUSE Bug 1201445
Описание
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Затронутые продукты
Ссылки
- CVE-2022-1705
- SUSE Bug 1201434
Описание
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
Затронутые продукты
Ссылки
- CVE-2022-1962
- SUSE Bug 1201448
Описание
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
Затронутые продукты
Ссылки
- CVE-2022-24675
- SUSE Bug 1198423
Описание
Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.
Затронутые продукты
Ссылки
- CVE-2022-27536
- SUSE Bug 1198427
Описание
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Затронутые продукты
Ссылки
- CVE-2022-27664
- SUSE Bug 1203185
- SUSE Bug 1203293
Описание
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Затронутые продукты
Ссылки
- CVE-2022-28131
- SUSE Bug 1201443
Описание
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
Затронутые продукты
Ссылки
- CVE-2022-28327
- SUSE Bug 1198424
Описание
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Затронутые продукты
Ссылки
- CVE-2022-2879
- SUSE Bug 1204024
Описание
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Затронутые продукты
Ссылки
- CVE-2022-2880
- SUSE Bug 1204025
- SUSE Bug 1204076
Описание
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Затронутые продукты
Ссылки
- CVE-2022-29526
- SUSE Bug 1199413
Описание
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
Затронутые продукты
Ссылки
- CVE-2022-29804
- SUSE Bug 1200137
Описание
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Затронутые продукты
Ссылки
- CVE-2022-30580
- SUSE Bug 1200136
Описание
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Затронутые продукты
Ссылки
- CVE-2022-30629
- SUSE Bug 1200135
Описание
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
Затронутые продукты
Ссылки
- CVE-2022-30630
- SUSE Bug 1201447
Описание
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
Затронутые продукты
Ссылки
- CVE-2022-30631
- SUSE Bug 1201437
Описание
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
Затронутые продукты
Ссылки
- CVE-2022-30632
- SUSE Bug 1201445
Описание
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Затронутые продукты
Ссылки
- CVE-2022-30633
- SUSE Bug 1201440
Описание
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
Затронутые продукты
Ссылки
- CVE-2022-30634
- SUSE Bug 1200134
Описание
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Затронутые продукты
Ссылки
- CVE-2022-30635
- SUSE Bug 1201444
Описание
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Затронутые продукты
Ссылки
- CVE-2022-32148
- SUSE Bug 1201436
Описание
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
Затронутые продукты
Ссылки
- CVE-2022-32189
- SUSE Bug 1202035
Описание
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Затронутые продукты
Ссылки
- CVE-2022-41715
- SUSE Bug 1204023
- SUSE Bug 1208441
Описание
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
Затронутые продукты
Ссылки
- CVE-2022-41716
- SUSE Bug 1204941
Описание
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Затронутые продукты
Ссылки
- CVE-2022-41717
- SUSE Bug 1206135
Описание
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.
Затронутые продукты
Ссылки
- CVE-2022-41720
- SUSE Bug 1206134
Описание
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Затронутые продукты
Ссылки
- CVE-2022-41723
- SUSE Bug 1208270
- SUSE Bug 1215588
Описание
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Затронутые продукты
Ссылки
- CVE-2022-41724
- SUSE Bug 1208271
Описание
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
Затронутые продукты
Ссылки
- CVE-2022-41725
- SUSE Bug 1208272