Security update for go1.21 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1936-1 Final 1 1 2024-06-07T08:26:47Z current 2024-06-07T08:26:47Z 2024-06-07T08:26:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.21 This update for go1.21 fixes the following issues: go1.21.11 release (bsc#1212475). - CVE-2024-24789: Fixed mishandling of corrupt central directory record in archive/zip (bsc#1225973). - CVE-2024-24790: Fixed unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (bsc#1225974). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1936,SUSE-SLE-SDK-12-SP5-2024-1936 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241936-1/ Link for SUSE-SU-2024:1936-1 https://lists.suse.com/pipermail/sle-updates/2024-June/035487.html E-Mail link for SUSE-SU-2024:1936-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212475 SUSE Bug 1212475 https://bugzilla.suse.com/1225973 SUSE Bug 1225973 https://bugzilla.suse.com/1225974 SUSE Bug 1225974 https://www.suse.com/security/cve/CVE-2024-24789/ SUSE CVE CVE-2024-24789 page https://www.suse.com/security/cve/CVE-2024-24790/ SUSE CVE CVE-2024-24790 page SUSE Linux Enterprise Software Development Kit 12 SP5 go1.21-1.21.11-1.36.1 go1.21-doc-1.21.11-1.36.1 go1.21-1.21.11-1.36.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 go1.21-doc-1.21.11-1.36.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. CVE-2024-24789 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-1.21.11-1.36.1 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-doc-1.21.11-1.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241936-1/ https://www.suse.com/security/cve/CVE-2024-24789.html CVE-2024-24789 https://bugzilla.suse.com/1225973 SUSE Bug 1225973 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-1.21.11-1.36.1 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-doc-1.21.11-1.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241936-1/ https://www.suse.com/security/cve/CVE-2024-24790.html CVE-2024-24790 https://bugzilla.suse.com/1225974 SUSE Bug 1225974