Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:4470-1

Опубликовано: 16 нояб. 2023
Источник: suse-cvrf

Описание

Security update for go1.20

This update for go1.20 fixes the following issues:

go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package.

  • security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
  • cmd/link: split text sections for arm 32-bit
  • net/http: http2 page fails on firefox/safari if pushing resources

Список пакетов

SUSE Linux Enterprise Module for Development Tools 15 SP4
go1.20-1.20.11-150000.1.32.1
go1.20-doc-1.20.11-150000.1.32.1
go1.20-race-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP5
go1.20-1.20.11-150000.1.32.1
go1.20-doc-1.20.11-150000.1.32.1
go1.20-race-1.20.11-150000.1.32.1
openSUSE Leap 15.4
go1.20-1.20.11-150000.1.32.1
go1.20-doc-1.20.11-150000.1.32.1
go1.20-race-1.20.11-150000.1.32.1
openSUSE Leap 15.5
go1.20-1.20.11-150000.1.32.1
go1.20-doc-1.20.11-150000.1.32.1
go1.20-race-1.20.11-150000.1.32.1

Ссылки

Описание

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.20-1.20.11-150000.1.32.1
Ссылки

Описание

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.11-150000.1.32.1
SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.20-1.20.11-150000.1.32.1
Ссылки