Security update for go1.21-openssl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4931-1 Final 1 1 2023-12-20T14:25:49Z current 2023-12-20T14:25:49Z 2023-12-20T14:25:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.21-openssl This update for go1.21-openssl fixes the following issues: Update to version 1.21.5.1: - CVE-2023-45285: cmd/go: git VCS qualifier in module path uses git:// scheme (bsc#1217834). - CVE-2023-45284: path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4 (bsc#1216943). - CVE-2023-39326: net/http: limit chunked data overhead (bsc#1217833). - cmd/go: go mod download needs to support toolchain upgrades - cmd/compile: invalid pointer found on stack when compiled with -race - os: NTFS deduped file changed from regular to irregular - net: TCPConn.ReadFrom hangs when io.Reader is TCPConn or UnixConn, Linux kernel < 5.1 - cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents - syscall: TestOpenFileLimit unintentionally runs on non-Unix platforms - runtime: self-deadlock on mheap_.lock - crypto/rand: Legacy RtlGenRandom use on Windows The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:latest-2023-4931,SUSE-2023-4931,SUSE-SLE-Module-Development-Tools-15-SP4-2023-4931,SUSE-SLE-Module-Development-Tools-15-SP5-2023-4931,openSUSE-SLE-15.4-2023-4931,openSUSE-SLE-15.5-2023-4931 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234931-1/ Link for SUSE-SU-2023:4931-1 https://lists.suse.com/pipermail/sle-security-updates/2023-December/017503.html E-Mail link for SUSE-SU-2023:4931-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212475 SUSE Bug 1212475 https://bugzilla.suse.com/1216943 SUSE Bug 1216943 https://bugzilla.suse.com/1217833 SUSE Bug 1217833 https://bugzilla.suse.com/1217834 SUSE Bug 1217834 https://www.suse.com/security/cve/CVE-2023-39326/ SUSE CVE CVE-2023-39326 page https://www.suse.com/security/cve/CVE-2023-45284/ SUSE CVE CVE-2023-45284 page https://www.suse.com/security/cve/CVE-2023-45285/ SUSE CVE CVE-2023-45285 page Container bci/golang:latest SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 go1.21-openssl-1.21.5.1-150000.1.8.1 go1.21-openssl-doc-1.21.5.1-150000.1.8.1 go1.21-openssl-race-1.21.5.1-150000.1.8.1 go1.21-openssl-1.21.5.1-150000.1.8.1 as a component of Container bci/golang:latest go1.21-openssl-doc-1.21.5.1-150000.1.8.1 as a component of Container bci/golang:latest go1.21-openssl-race-1.21.5.1-150000.1.8.1 as a component of Container bci/golang:latest go1.21-openssl-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.21-openssl-doc-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.21-openssl-race-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 go1.21-openssl-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-openssl-doc-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-openssl-race-1.21.5.1-150000.1.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-openssl-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.4 go1.21-openssl-doc-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.4 go1.21-openssl-race-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.4 go1.21-openssl-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.5 go1.21-openssl-doc-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.5 go1.21-openssl-race-1.21.5.1-150000.1.8.1 as a component of openSUSE Leap 15.5 A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. CVE-2023-39326 Container bci/golang:latest:go1.21-openssl-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234931-1/ https://www.suse.com/security/cve/CVE-2023-39326.html CVE-2023-39326 https://bugzilla.suse.com/1217833 SUSE Bug 1217833 On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. CVE-2023-45284 Container bci/golang:latest:go1.21-openssl-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234931-1/ https://www.suse.com/security/cve/CVE-2023-45284.html CVE-2023-45284 https://bugzilla.suse.com/1216944 SUSE Bug 1216944 Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). CVE-2023-45285 Container bci/golang:latest:go1.21-openssl-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 Container bci/golang:latest:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4:go1.21-openssl-race-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-doc-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5:go1.21-openssl-race-1.21.5.1-150000.1.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234931-1/ https://www.suse.com/security/cve/CVE-2023-45285.html CVE-2023-45285 https://bugzilla.suse.com/1217834 SUSE Bug 1217834