go1.14-1.14.15-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10807 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go1.14-1.14.15-1.6 on GA media These are all security issues fixed in the go1.14-1.14.15-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10807 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10807 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-14039/ SUSE CVE CVE-2020-14039 page https://www.suse.com/security/cve/CVE-2020-15586/ SUSE CVE CVE-2020-15586 page https://www.suse.com/security/cve/CVE-2020-16845/ SUSE CVE CVE-2020-16845 page https://www.suse.com/security/cve/CVE-2020-24553/ SUSE CVE CVE-2020-24553 page https://www.suse.com/security/cve/CVE-2020-28362/ SUSE CVE CVE-2020-28362 page https://www.suse.com/security/cve/CVE-2020-28366/ SUSE CVE CVE-2020-28366 page https://www.suse.com/security/cve/CVE-2020-28367/ SUSE CVE CVE-2020-28367 page https://www.suse.com/security/cve/CVE-2021-3114/ SUSE CVE CVE-2021-3114 page https://www.suse.com/security/cve/CVE-2021-3115/ SUSE CVE CVE-2021-3115 page openSUSE Tumbleweed go1.14-1.14.15-1.6 go1.14-doc-1.14.15-1.6 go1.14-race-1.14.15-1.6 go1.14-1.14.15-1.6 as a component of openSUSE Tumbleweed go1.14-doc-1.14.15-1.6 as a component of openSUSE Tumbleweed go1.14-race-1.14.15-1.6 as a component of openSUSE Tumbleweed In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. CVE-2020-14039 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14039.html CVE-2020-14039 https://bugzilla.suse.com/1174191 SUSE Bug 1174191 Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. CVE-2020-15586 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15586.html CVE-2020-15586 https://bugzilla.suse.com/1174153 SUSE Bug 1174153 Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. CVE-2020-16845 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16845.html CVE-2020-16845 https://bugzilla.suse.com/1174977 SUSE Bug 1174977 Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. CVE-2020-24553 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-24553.html CVE-2020-24553 https://bugzilla.suse.com/1176031 SUSE Bug 1176031 Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. CVE-2020-28362 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28362.html CVE-2020-28362 https://bugzilla.suse.com/1178750 SUSE Bug 1178750 Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. CVE-2020-28366 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28366.html CVE-2020-28366 https://bugzilla.suse.com/1178753 SUSE Bug 1178753 Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. CVE-2020-28367 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28367.html CVE-2020-28367 https://bugzilla.suse.com/1178752 SUSE Bug 1178752 In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVE-2021-3114 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3114.html CVE-2021-3114 https://bugzilla.suse.com/1181145 SUSE Bug 1181145 Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). CVE-2021-3115 openSUSE Tumbleweed:go1.14-1.14.15-1.6 openSUSE Tumbleweed:go1.14-doc-1.14.15-1.6 openSUSE Tumbleweed:go1.14-race-1.14.15-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3115.html CVE-2021-3115 https://bugzilla.suse.com/1181146 SUSE Bug 1181146