Security update for go1.15 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2139-1 Final 1 1 2020-12-01T11:24:50Z current 2020-12-01T11:24:50Z 2020-12-01T11:24:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.15 This update for go1.15 fixes the following issues: - go1.15.5 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages. * go#42553 math/big: panic during recursive division of very large numbers (bsc#1178750 CVE-2020-28362) * go#42560 cmd/go: arbitrary code can be injected into cgo generated files (bsc#1178752 CVE-2020-28367) * go#42557 cmd/go: improper validation of cgo flags can lead to remote code execution at build time (bsc#1178753 CVE-2020-28366) * go#42169 cmd/compile, runtime, reflect: pointers to go:notinheap types must be stored indirectly in interfaces * go#42151 cmd/cgo: opaque struct pointers are broken since Go 1.15.3 * go#42138 time: Location interprets wrong timezone (DST) with slim zoneinfo * go#42113 x/net/http2: the first write error on a connection will cause all subsequent write requests to fail blindly * go#41914 net/http: request.Clone doesn't deep copy TransferEncoding * go#41704 runtime: macOS syscall.Exec can get SIGILL due to preemption signal * go#41463 compress/flate: deflatefast produces corrupted output * go#41387 x/net/http2: connection-level flow control not returned if stream errors, causes server hang * go#40974 cmd/link: sectionForAddress(0xA9D67F) address not in any section file The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HGUG34M7TVN5CJXWIHJF454FAT7TTWY/ E-Mail link for openSUSE-SU-2020:2139-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175132 SUSE Bug 1175132 https://bugzilla.suse.com/1178750 SUSE Bug 1178750 https://bugzilla.suse.com/1178752 SUSE Bug 1178752 https://bugzilla.suse.com/1178753 SUSE Bug 1178753 https://www.suse.com/security/cve/CVE-2020-28362/ SUSE CVE CVE-2020-28362 page https://www.suse.com/security/cve/CVE-2020-28366/ SUSE CVE CVE-2020-28366 page https://www.suse.com/security/cve/CVE-2020-28367/ SUSE CVE CVE-2020-28367 page openSUSE Leap 15.2 go1.15-1.15.5-lp152.2.1 go1.15-doc-1.15.5-lp152.2.1 go1.15-race-1.15.5-lp152.2.1 go1.15-1.15.5-lp152.2.1 as a component of openSUSE Leap 15.2 go1.15-doc-1.15.5-lp152.2.1 as a component of openSUSE Leap 15.2 go1.15-race-1.15.5-lp152.2.1 as a component of openSUSE Leap 15.2 Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. CVE-2020-28362 openSUSE Leap 15.2:go1.15-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-doc-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-race-1.15.5-lp152.2.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HGUG34M7TVN5CJXWIHJF454FAT7TTWY/ https://www.suse.com/security/cve/CVE-2020-28362.html CVE-2020-28362 https://bugzilla.suse.com/1178750 SUSE Bug 1178750 Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. CVE-2020-28366 openSUSE Leap 15.2:go1.15-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-doc-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-race-1.15.5-lp152.2.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HGUG34M7TVN5CJXWIHJF454FAT7TTWY/ https://www.suse.com/security/cve/CVE-2020-28366.html CVE-2020-28366 https://bugzilla.suse.com/1178753 SUSE Bug 1178753 Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. CVE-2020-28367 openSUSE Leap 15.2:go1.15-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-doc-1.15.5-lp152.2.1 openSUSE Leap 15.2:go1.15-race-1.15.5-lp152.2.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HGUG34M7TVN5CJXWIHJF454FAT7TTWY/ https://www.suse.com/security/cve/CVE-2020-28367.html CVE-2020-28367 https://bugzilla.suse.com/1178752 SUSE Bug 1178752