go1.21-1.21.8-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13756-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go1.21-1.21.8-1.1 on GA media These are all security issues fixed in the go1.21-1.21.8-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13756 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-45289/ SUSE CVE CVE-2023-45289 page https://www.suse.com/security/cve/CVE-2023-45290/ SUSE CVE CVE-2023-45290 page https://www.suse.com/security/cve/CVE-2024-24783/ SUSE CVE CVE-2024-24783 page https://www.suse.com/security/cve/CVE-2024-24784/ SUSE CVE CVE-2024-24784 page https://www.suse.com/security/cve/CVE-2024-24785/ SUSE CVE CVE-2024-24785 page openSUSE Tumbleweed go1.21-1.21.8-1.1 go1.21-doc-1.21.8-1.1 go1.21-libstd-1.21.8-1.1 go1.21-race-1.21.8-1.1 go1.21-1.21.8-1.1 as a component of openSUSE Tumbleweed go1.21-doc-1.21.8-1.1 as a component of openSUSE Tumbleweed go1.21-libstd-1.21.8-1.1 as a component of openSUSE Tumbleweed go1.21-race-1.21.8-1.1 as a component of openSUSE Tumbleweed When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. CVE-2023-45289 openSUSE Tumbleweed:go1.21-1.21.8-1.1 openSUSE Tumbleweed:go1.21-doc-1.21.8-1.1 openSUSE Tumbleweed:go1.21-libstd-1.21.8-1.1 openSUSE Tumbleweed:go1.21-race-1.21.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45289.html CVE-2023-45289 https://bugzilla.suse.com/1221000 SUSE Bug 1221000 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. CVE-2023-45290 openSUSE Tumbleweed:go1.21-1.21.8-1.1 openSUSE Tumbleweed:go1.21-doc-1.21.8-1.1 openSUSE Tumbleweed:go1.21-libstd-1.21.8-1.1 openSUSE Tumbleweed:go1.21-race-1.21.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45290.html CVE-2023-45290 https://bugzilla.suse.com/1221001 SUSE Bug 1221001 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. CVE-2024-24783 openSUSE Tumbleweed:go1.21-1.21.8-1.1 openSUSE Tumbleweed:go1.21-doc-1.21.8-1.1 openSUSE Tumbleweed:go1.21-libstd-1.21.8-1.1 openSUSE Tumbleweed:go1.21-race-1.21.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24783.html CVE-2024-24783 https://bugzilla.suse.com/1220999 SUSE Bug 1220999 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 openSUSE Tumbleweed:go1.21-1.21.8-1.1 openSUSE Tumbleweed:go1.21-doc-1.21.8-1.1 openSUSE Tumbleweed:go1.21-libstd-1.21.8-1.1 openSUSE Tumbleweed:go1.21-race-1.21.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24784.html CVE-2024-24784 https://bugzilla.suse.com/1221002 SUSE Bug 1221002 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. CVE-2024-24785 openSUSE Tumbleweed:go1.21-1.21.8-1.1 openSUSE Tumbleweed:go1.21-doc-1.21.8-1.1 openSUSE Tumbleweed:go1.21-libstd-1.21.8-1.1 openSUSE Tumbleweed:go1.21-race-1.21.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24785.html CVE-2024-24785 https://bugzilla.suse.com/1221003 SUSE Bug 1221003