go1.17-1.17.12-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12189 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go1.17-1.17.12-1.1 on GA media These are all security issues fixed in the go1.17-1.17.12-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12189 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12189 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-1705/ SUSE CVE CVE-2022-1705 page https://www.suse.com/security/cve/CVE-2022-1962/ SUSE CVE CVE-2022-1962 page https://www.suse.com/security/cve/CVE-2022-28131/ SUSE CVE CVE-2022-28131 page https://www.suse.com/security/cve/CVE-2022-30630/ SUSE CVE CVE-2022-30630 page https://www.suse.com/security/cve/CVE-2022-30631/ SUSE CVE CVE-2022-30631 page https://www.suse.com/security/cve/CVE-2022-30632/ SUSE CVE CVE-2022-30632 page https://www.suse.com/security/cve/CVE-2022-30633/ SUSE CVE CVE-2022-30633 page https://www.suse.com/security/cve/CVE-2022-30635/ SUSE CVE CVE-2022-30635 page https://www.suse.com/security/cve/CVE-2022-32148/ SUSE CVE CVE-2022-32148 page openSUSE Tumbleweed go1.17-1.17.12-1.1 go1.17-doc-1.17.12-1.1 go1.17-race-1.17.12-1.1 go1.17-1.17.12-1.1 as a component of openSUSE Tumbleweed go1.17-doc-1.17.12-1.1 as a component of openSUSE Tumbleweed go1.17-race-1.17.12-1.1 as a component of openSUSE Tumbleweed Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. CVE-2022-1705 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1705.html CVE-2022-1705 https://bugzilla.suse.com/1201434 SUSE Bug 1201434 Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. CVE-2022-1962 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1962.html CVE-2022-1962 https://bugzilla.suse.com/1201448 SUSE Bug 1201448 Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. CVE-2022-28131 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28131.html CVE-2022-28131 https://bugzilla.suse.com/1201443 SUSE Bug 1201443 Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. CVE-2022-30630 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30630.html CVE-2022-30630 https://bugzilla.suse.com/1201447 SUSE Bug 1201447 Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. CVE-2022-30631 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30631.html CVE-2022-30631 https://bugzilla.suse.com/1201437 SUSE Bug 1201437 Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. CVE-2022-30632 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30632.html CVE-2022-30632 https://bugzilla.suse.com/1201445 SUSE Bug 1201445 Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. CVE-2022-30633 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30633.html CVE-2022-30633 https://bugzilla.suse.com/1201440 SUSE Bug 1201440 Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. CVE-2022-30635 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30635.html CVE-2022-30635 https://bugzilla.suse.com/1201444 SUSE Bug 1201444 Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. CVE-2022-32148 openSUSE Tumbleweed:go1.17-1.17.12-1.1 openSUSE Tumbleweed:go1.17-doc-1.17.12-1.1 openSUSE Tumbleweed:go1.17-race-1.17.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32148.html CVE-2022-32148 https://bugzilla.suse.com/1201436 SUSE Bug 1201436