Описание
Security update for go1.21
This update for go1.21 fixes the following issues:
go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages.
- security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
- spec: update unification rules
- cmd/compile: internal compiler error: expected struct value to have type struct
- cmd/link: split text sections for arm 32-bit
- runtime: MADV_COLLAPSE causes production performance issues on Linux
- go/types, x/tools/go/ssa: panic: type param without replacement encountered
- cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
- net/http: http2 page fails on firefox/safari if pushing resources
Список пакетов
Container bci/golang:1.21
SUSE Linux Enterprise Module for Development Tools 15 SP4
SUSE Linux Enterprise Module for Development Tools 15 SP5
openSUSE Leap 15.4
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2023:4471-1
- E-Mail link for SUSE-SU-2023:4471-1
- SUSE Security Ratings
- SUSE Bug 1212475
- SUSE Bug 1216943
- SUSE Bug 1216944
- SUSE CVE CVE-2023-45283 page
- SUSE CVE CVE-2023-45284 page
Описание
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
Затронутые продукты
Ссылки
- CVE-2023-45283
- SUSE Bug 1216943
Описание
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
Затронутые продукты
Ссылки
- CVE-2023-45284
- SUSE Bug 1216944