Security update for go1.20 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3181-1 Final 1 1 2023-08-03T19:34:23Z current 2023-08-03T19:34:23Z 2023-08-03T19:34:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.20 This update for go1.20 fixes the following issues: - Update to go v1.20.7 (released 2023-08-01) (bsc#1206346) - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3181,SUSE-SLE-Module-Development-Tools-15-SP4-2023-3181,SUSE-SLE-Module-Development-Tools-15-SP5-2023-3181,openSUSE-SLE-15.4-2023-3181,openSUSE-SLE-15.5-2023-3181 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233181-1/ Link for SUSE-SU-2023:3181-1 https://lists.suse.com/pipermail/sle-updates/2023-August/030785.html E-Mail link for SUSE-SU-2023:3181-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1206346 SUSE Bug 1206346 https://bugzilla.suse.com/1213880 SUSE Bug 1213880 https://www.suse.com/security/cve/CVE-2023-29409/ SUSE CVE CVE-2023-29409 page SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 go1.20-1.20.7-150000.1.20.1 go1.20-doc-1.20.7-150000.1.20.1 go1.20-race-1.20.7-150000.1.20.1 go1.20-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.20-doc-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.20-race-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.20-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.20-doc-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.20-race-1.20.7-150000.1.20.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.20-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.4 go1.20-doc-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.4 go1.20-race-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.4 go1.20-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.5 go1.20-doc-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.5 go1.20-race-1.20.7-150000.1.20.1 as a component of openSUSE Leap 15.5 Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. CVE-2023-29409 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-1.20.7-150000.1.20.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-doc-1.20.7-150000.1.20.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.20-race-1.20.7-150000.1.20.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.20-1.20.7-150000.1.20.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.20-doc-1.20.7-150000.1.20.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.20-race-1.20.7-150000.1.20.1 openSUSE Leap 15.4:go1.20-1.20.7-150000.1.20.1 openSUSE Leap 15.4:go1.20-doc-1.20.7-150000.1.20.1 openSUSE Leap 15.4:go1.20-race-1.20.7-150000.1.20.1 openSUSE Leap 15.5:go1.20-1.20.7-150000.1.20.1 openSUSE Leap 15.5:go1.20-doc-1.20.7-150000.1.20.1 openSUSE Leap 15.5:go1.20-race-1.20.7-150000.1.20.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233181-1/ https://www.suse.com/security/cve/CVE-2023-29409.html CVE-2023-29409 https://bugzilla.suse.com/1213880 SUSE Bug 1213880