go1.18-1.18.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12124-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go1.18-1.18.3-1.1 on GA media These are all security issues fixed in the go1.18-1.18.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12124 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-29804/ SUSE CVE CVE-2022-29804 page https://www.suse.com/security/cve/CVE-2022-30580/ SUSE CVE CVE-2022-30580 page https://www.suse.com/security/cve/CVE-2022-30629/ SUSE CVE CVE-2022-30629 page https://www.suse.com/security/cve/CVE-2022-30634/ SUSE CVE CVE-2022-30634 page openSUSE Tumbleweed go1.18-1.18.3-1.1 go1.18-doc-1.18.3-1.1 go1.18-race-1.18.3-1.1 go1.18-1.18.3-1.1 as a component of openSUSE Tumbleweed go1.18-doc-1.18.3-1.1 as a component of openSUSE Tumbleweed go1.18-race-1.18.3-1.1 as a component of openSUSE Tumbleweed Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. CVE-2022-29804 openSUSE Tumbleweed:go1.18-1.18.3-1.1 openSUSE Tumbleweed:go1.18-doc-1.18.3-1.1 openSUSE Tumbleweed:go1.18-race-1.18.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29804.html CVE-2022-29804 https://bugzilla.suse.com/1200137 SUSE Bug 1200137 Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. CVE-2022-30580 openSUSE Tumbleweed:go1.18-1.18.3-1.1 openSUSE Tumbleweed:go1.18-doc-1.18.3-1.1 openSUSE Tumbleweed:go1.18-race-1.18.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30580.html CVE-2022-30580 https://bugzilla.suse.com/1200136 SUSE Bug 1200136 Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. CVE-2022-30629 openSUSE Tumbleweed:go1.18-1.18.3-1.1 openSUSE Tumbleweed:go1.18-doc-1.18.3-1.1 openSUSE Tumbleweed:go1.18-race-1.18.3-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30629.html CVE-2022-30629 https://bugzilla.suse.com/1200135 SUSE Bug 1200135 Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. CVE-2022-30634 openSUSE Tumbleweed:go1.18-1.18.3-1.1 openSUSE Tumbleweed:go1.18-doc-1.18.3-1.1 openSUSE Tumbleweed:go1.18-race-1.18.3-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30634.html CVE-2022-30634 https://bugzilla.suse.com/1200134 SUSE Bug 1200134