SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3785-1 Container Tags : bci/golang:1.20-openssl , bci/golang:1.20-openssl-8.2 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-8.2 Container Release : 8.2 Severity : important Type : security References : 1206346 1206346 1206346 1213229 1213880 1215084 1215085 1215090 1215985 1216109 1216943 1216944 CVE-2023-29406 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2023:2601-1 Released: Wed Jun 21 15:42:34 2023 Summary: Optional update for go1.20-openssl Type: optional Severity: moderate References: This update for go1.20-openssl fixes the following issues: This update delivers a go1.20 1.20.5.2 package built with its cryptography using the system openssl library. (jsc#SLE-18320 jsc#PED-1962) This allows GO binaries built with go1.20-openssl to be operating in FIPS 140-2/3 mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3002-1 Released: Thu Jul 27 12:38:13 2023 Summary: Security update for go1.20-openssl Type: security Severity: moderate References: 1206346,1213229,CVE-2023-29406 This update for go1.20-openssl fixes the following issues: Update to version 1.20.6.1 (bsc#1206346): - CVE-2023-29406: Fixed insufficient sanitization of Host header (bsc#1213229). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3840-1 Released: Wed Sep 27 19:34:42 2023 Summary: Security update for go1.20-openssl Type: security Severity: important References: 1206346,1213880,1215084,1215085,1215090,CVE-2023-29409,CVE-2023-39318,CVE-2023-39319 This update for go1.20-openssl fixes the following issues: Update to version 1.20.8 (bsc#1206346). - CVE-2023-29409: Fixed unrestricted RSA keys in certificates (bsc#1213880). - CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085). - CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts (bsc#1215084). The following non-security bug was fixed: - Add missing directory pprof html asset directory to package (bsc#1215090). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4472-1 Released: Thu Nov 16 19:01:27 2023 Summary: Security update for go1.20-openssl Type: security Severity: important References: 1206346,1215985,1216109,1216943,1216944,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284 This update for go1.20-openssl fixes the following issues: Update to version 1.20.11.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.11-1-openssl-fips. * Update to go1.20.11 go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * cmd/link: split text sections for arm 32-bit * net/http: http2 page fails on firefox/safari if pushing resources Update to version 1.20.10.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.10-1-openssl-fips. * Update to go1.20.10 go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. * security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (bsc#1216109) go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the go command and the linker. * security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (bsc#1215985) * cmd/link: issues with Apple's new linker in Xcode 15 beta The following package changes have been done: - go1.20-openssl-doc-1.20.11.1-150000.1.14.1 added - go1.20-openssl-1.20.11.1-150000.1.14.1 added - go1.20-openssl-race-1.20.11.1-150000.1.14.1 added - go1.19-openssl-1.19.13.1-150000.1.8.1 removed - go1.19-openssl-doc-1.19.13.1-150000.1.8.1 removed - go1.19-openssl-race-1.19.13.1-150000.1.8.1 removed