You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa go

Sigurnosni nedostaci programskog paketa go

openSUSE Security Update: Security update for go1.15
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:2139-1
Rating: moderate
References: #1175132 #1178750 #1178752 #1178753
Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves three vulnerabilities and has one
errata is now available.

Description:

This update for go1.15 fixes the following issues:

– go1.15.5 (released 2020-11-12) includes security fixes to the cmd/go and
math/big packages.
* go#42553 math/big: panic during recursive division of very large
numbers (bsc#1178750 CVE-2020-28362)
* go#42560 cmd/go: arbitrary code can be injected into cgo generated
files (bsc#1178752 CVE-2020-28367)
* go#42557 cmd/go: improper validation of cgo flags can lead to remote
code execution at build time (bsc#1178753 CVE-2020-28366)
* go#42169 cmd/compile, runtime, reflect: pointers to go:notinheap types
must be stored indirectly in interfaces
* go#42151 cmd/cgo: opaque struct pointers are broken since Go 1.15.3
* go#42138 time: Location interprets wrong timezone (DST) with slim
zoneinfo
* go#42113 x/net/http2: the first write error on a connection will cause
all subsequent write requests to fail blindly
* go#41914 net/http: request.Clone doesn’t deep copy TransferEncoding
* go#41704 runtime: macOS syscall.Exec can get SIGILL due to preemption
signal
* go#41463 compress/flate: deflatefast produces corrupted output
* go#41387 x/net/http2: connection-level flow control not returned if
stream errors, causes server hang
* go#40974 cmd/link: sectionForAddress(0xA9D67F) address not in any
section file

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-2139=1

Package List:

– openSUSE Leap 15.2 (x86_64):

go1.15-1.15.5-lp152.2.1
go1.15-doc-1.15.5-lp152.2.1
go1.15-race-1.15.5-lp152.2.1

References:

https://www.suse.com/security/cve/CVE-2020-28362.html
https://www.suse.com/security/cve/CVE-2020-28366.html
https://www.suse.com/security/cve/CVE-2020-28367.html
https://bugzilla.suse.com/1175132
https://bugzilla.suse.com/1178750
https://bugzilla.suse.com/1178752
https://bugzilla.suse.com/1178753
_______________________________________________
openSUSE Security Announce mailing list — security-announce@lists.opensuse.org
To unsubscribe, email security-announce-leave@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke python setuptools

Otkriven je sigurnosni nedostatak programske biblioteke python setuptools za operacijski sustav openSUSE. Otkriveni nedostatak potencijalnim napadačima omogućuje izvođenje 'directory traversal'...

Close