Security update for go1.22 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1573-1 Final 1 1 2024-05-09T11:18:26Z current 2024-05-09T11:18:26Z 2024-05-09T11:18:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.22 This update for go1.22 fixes the following issues: Update to go1.22.3: - CVE-2024-24787: cmd/go: arbitrary code execution during build on darwin (bsc#1224017) - CVE-2024-24788: net: high cpu usage in extractExtendedRCode (bsc#1224018) - cmd/compile: Go 1.22.x failed to be bootstrapped from 386 to ppc64le - cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE - runtime: deterministic fallback hashes across process boundary - net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1573,SUSE-SLE-SDK-12-SP5-2024-1573 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241573-1/ Link for SUSE-SU-2024:1573-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035205.html E-Mail link for SUSE-SU-2024:1573-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1218424 SUSE Bug 1218424 https://bugzilla.suse.com/1224017 SUSE Bug 1224017 https://bugzilla.suse.com/1224018 SUSE Bug 1224018 https://www.suse.com/security/cve/CVE-2024-24787/ SUSE CVE CVE-2024-24787 page https://www.suse.com/security/cve/CVE-2024-24788/ SUSE CVE CVE-2024-24788 page SUSE Linux Enterprise Software Development Kit 12 SP5 go1.22-1.22.3-1.9.1 go1.22-doc-1.22.3-1.9.1 go1.22-1.22.3-1.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 go1.22-doc-1.22.3-1.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. CVE-2024-24787 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.22-1.22.3-1.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.22-doc-1.22.3-1.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241573-1/ https://www.suse.com/security/cve/CVE-2024-24787.html CVE-2024-24787 https://bugzilla.suse.com/1224017 SUSE Bug 1224017 A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. CVE-2024-24788 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.22-1.22.3-1.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.22-doc-1.22.3-1.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241573-1/ https://www.suse.com/security/cve/CVE-2024-24788.html CVE-2024-24788 https://bugzilla.suse.com/1224018 SUSE Bug 1224018