Security update for go1.18 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:4055-1 Final 1 1 2022-11-17T14:37:36Z current 2022-11-17T14:37:36Z 2022-11-17T14:37:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.18 This update for go1.18 fixes the following issues: Update to go 1.18.8 (released 2022-11-01) (bsc#1193742): Security fixes: - CVE-2022-41716: Fixed unsanitized NUL in environment variables in syscalls, os/exec (go#56327) (bsc#1204941). Bugfixes: - runtime: lock count' fatal error when cgo is enabled (go#56308). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:1.18-2022-4055,SUSE-2022-4055,SUSE-SLE-Module-Development-Tools-15-SP3-2022-4055,SUSE-SLE-Module-Development-Tools-15-SP4-2022-4055,openSUSE-SLE-15.3-2022-4055,openSUSE-SLE-15.4-2022-4055 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20224055-1/ Link for SUSE-SU-2022:4055-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012970.html E-Mail link for SUSE-SU-2022:4055-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193742 SUSE Bug 1193742 https://bugzilla.suse.com/1204941 SUSE Bug 1204941 https://www.suse.com/security/cve/CVE-2022-41716/ SUSE CVE CVE-2022-41716 page Container bci/golang:1.18 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 go1.18-1.18.8-150000.1.37.1 go1.18-doc-1.18.8-150000.1.37.1 go1.18-race-1.18.8-150000.1.37.1 go1.18-1.18.8-150000.1.37.1 as a component of Container bci/golang:1.18 go1.18-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.18-doc-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.18-race-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 go1.18-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.18-doc-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.18-race-1.18.8-150000.1.37.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.18-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.3 go1.18-doc-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.3 go1.18-race-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.3 go1.18-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.4 go1.18-doc-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.4 go1.18-race-1.18.8-150000.1.37.1 as a component of openSUSE Leap 15.4 Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". CVE-2022-41716 Container bci/golang:1.18:go1.18-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.18-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.18-doc-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:go1.18-race-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.18-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.18-doc-1.18.8-150000.1.37.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.18-race-1.18.8-150000.1.37.1 openSUSE Leap 15.3:go1.18-1.18.8-150000.1.37.1 openSUSE Leap 15.3:go1.18-doc-1.18.8-150000.1.37.1 openSUSE Leap 15.3:go1.18-race-1.18.8-150000.1.37.1 openSUSE Leap 15.4:go1.18-1.18.8-150000.1.37.1 openSUSE Leap 15.4:go1.18-doc-1.18.8-150000.1.37.1 openSUSE Leap 15.4:go1.18-race-1.18.8-150000.1.37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224055-1/ https://www.suse.com/security/cve/CVE-2022-41716.html CVE-2022-41716 https://bugzilla.suse.com/1204941 SUSE Bug 1204941