Security update for go1.16 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2186-1 Final 1 1 2021-06-28T16:23:28Z current 2021-06-28T16:23:28Z 2021-06-28T16:23:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.16 This update for go1.16 fixes the following issues: Update to 1.16.5. Includes these security fixes - CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443). - CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622). - CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444) - CVE-2021-33198: math/big: (*Rat).SetString with '1.770p02041010010011001001' crashes with 'makeslice: len out of range' (bsc#1187445). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:1.16-2021-2186,Container trento/trento-runner:latest-2021-2186,SUSE-2021-2186,SUSE-SLE-Module-Development-Tools-15-SP2-2021-2186,SUSE-SLE-Module-Development-Tools-15-SP3-2021-2186 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212186-1/ Link for SUSE-SU-2021:2186-1 https://lists.suse.com/pipermail/sle-security-updates/2021-June/009096.html E-Mail link for SUSE-SU-2021:2186-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182345 SUSE Bug 1182345 https://bugzilla.suse.com/1186622 SUSE Bug 1186622 https://bugzilla.suse.com/1187443 SUSE Bug 1187443 https://bugzilla.suse.com/1187444 SUSE Bug 1187444 https://bugzilla.suse.com/1187445 SUSE Bug 1187445 https://www.suse.com/security/cve/CVE-2021-33195/ SUSE CVE CVE-2021-33195 page https://www.suse.com/security/cve/CVE-2021-33196/ SUSE CVE CVE-2021-33196 page https://www.suse.com/security/cve/CVE-2021-33197/ SUSE CVE CVE-2021-33197 page https://www.suse.com/security/cve/CVE-2021-33198/ SUSE CVE CVE-2021-33198 page Container bci/golang:1.16 Container trento/trento-runner:latest SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.16-1.16.5-1.17.1 go1.16-doc-1.16.5-1.17.1 go1.16-race-1.16.5-1.17.1 go1.16-1.16.5-1.17.1 as a component of Container bci/golang:1.16 go1.16-1.16.5-1.17.1 as a component of Container trento/trento-runner:latest go1.16-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 go1.16-doc-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 go1.16-race-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 go1.16-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.16-doc-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.16-race-1.16.5-1.17.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. CVE-2021-33195 Container bci/golang:1.16:go1.16-1.16.5-1.17.1 Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-race-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-race-1.16.5-1.17.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212186-1/ https://www.suse.com/security/cve/CVE-2021-33195.html CVE-2021-33195 https://bugzilla.suse.com/1187443 SUSE Bug 1187443 In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. CVE-2021-33196 Container bci/golang:1.16:go1.16-1.16.5-1.17.1 Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-race-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-race-1.16.5-1.17.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212186-1/ https://www.suse.com/security/cve/CVE-2021-33196.html CVE-2021-33196 https://bugzilla.suse.com/1186622 SUSE Bug 1186622 https://bugzilla.suse.com/1190589 SUSE Bug 1190589 In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. CVE-2021-33197 Container bci/golang:1.16:go1.16-1.16.5-1.17.1 Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-race-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-race-1.16.5-1.17.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212186-1/ https://www.suse.com/security/cve/CVE-2021-33197.html CVE-2021-33197 https://bugzilla.suse.com/1187444 SUSE Bug 1187444 In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. CVE-2021-33198 Container bci/golang:1.16:go1.16-1.16.5-1.17.1 Container trento/trento-runner:latest:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.16-race-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-doc-1.16.5-1.17.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.16-race-1.16.5-1.17.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212186-1/ https://www.suse.com/security/cve/CVE-2021-33198.html CVE-2021-33198 https://bugzilla.suse.com/1187445 SUSE Bug 1187445