go-1.7.0-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10028-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go-1.7.0-2.1 on GA media These are all security issues fixed in the go-1.7.0-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10028 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-7189/ SUSE CVE CVE-2014-7189 page https://www.suse.com/security/cve/CVE-2015-8618/ SUSE CVE CVE-2015-8618 page https://www.suse.com/security/cve/CVE-2016-3959/ SUSE CVE CVE-2016-3959 page openSUSE Tumbleweed go-1.7.0-2.1 go-doc-1.7.0-2.1 go-1.7.0-2.1 as a component of openSUSE Tumbleweed go-doc-1.7.0-2.1 as a component of openSUSE Tumbleweed crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. CVE-2014-7189 openSUSE Tumbleweed:go-1.7.0-2.1 openSUSE Tumbleweed:go-doc-1.7.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7189.html CVE-2014-7189 https://bugzilla.suse.com/898901 SUSE Bug 898901 The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. CVE-2015-8618 openSUSE Tumbleweed:go-1.7.0-2.1 openSUSE Tumbleweed:go-doc-1.7.0-2.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8618.html CVE-2015-8618 https://bugzilla.suse.com/957814 SUSE Bug 957814 https://bugzilla.suse.com/960151 SUSE Bug 960151 The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. CVE-2016-3959 openSUSE Tumbleweed:go-1.7.0-2.1 openSUSE Tumbleweed:go-doc-1.7.0-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3959.html CVE-2016-3959 https://bugzilla.suse.com/974232 SUSE Bug 974232