Security update for go1.21 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1969-1 Final 1 1 2024-06-10T18:04:52Z current 2024-06-10T18:04:52Z 2024-06-10T18:04:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.21 This update for go1.21 fixes the following issues: go1.21.11 release (bsc#1212475). - CVE-2024-24789: Fixed mishandling of corrupt central directory record in archive/zip (bsc#1225973). - CVE-2024-24790: Fixed unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (bsc#1225974). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:1.21-2024-1969,SUSE-2024-1969,SUSE-SLE-Module-Development-Tools-15-SP5-2024-1969,SUSE-SLE-Module-Development-Tools-15-SP6-2024-1969,openSUSE-SLE-15.5-2024-1969,openSUSE-SLE-15.6-2024-1969 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241969-1/ Link for SUSE-SU-2024:1969-1 https://lists.suse.com/pipermail/sle-updates/2024-June/035524.html E-Mail link for SUSE-SU-2024:1969-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212475 SUSE Bug 1212475 https://bugzilla.suse.com/1225973 SUSE Bug 1225973 https://bugzilla.suse.com/1225974 SUSE Bug 1225974 https://www.suse.com/security/cve/CVE-2024-24789/ SUSE CVE CVE-2024-24789 page https://www.suse.com/security/cve/CVE-2024-24790/ SUSE CVE CVE-2024-24790 page Container bci/golang:1.21 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 go1.21-1.21.11-150000.1.36.1 go1.21-doc-1.21.11-150000.1.36.1 go1.21-race-1.21.11-150000.1.36.1 go1.21-1.21.11-150000.1.36.1 as a component of Container bci/golang:1.21 go1.21-doc-1.21.11-150000.1.36.1 as a component of Container bci/golang:1.21 go1.21-race-1.21.11-150000.1.36.1 as a component of Container bci/golang:1.21 go1.21-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-doc-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-race-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 go1.21-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.21-doc-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.21-race-1.21.11-150000.1.36.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.21-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.5 go1.21-doc-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.5 go1.21-race-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.5 go1.21-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.6 go1.21-doc-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.6 go1.21-race-1.21.11-150000.1.36.1 as a component of openSUSE Leap 15.6 The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. CVE-2024-24789 Container bci/golang:1.21:go1.21-1.21.11-150000.1.36.1 Container bci/golang:1.21:go1.21-doc-1.21.11-150000.1.36.1 Container bci/golang:1.21:go1.21-race-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-doc-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-race-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-doc-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-race-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-doc-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-race-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-doc-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-race-1.21.11-150000.1.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241969-1/ https://www.suse.com/security/cve/CVE-2024-24789.html CVE-2024-24789 https://bugzilla.suse.com/1225973 SUSE Bug 1225973 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Container bci/golang:1.21:go1.21-1.21.11-150000.1.36.1 Container bci/golang:1.21:go1.21-doc-1.21.11-150000.1.36.1 Container bci/golang:1.21:go1.21-race-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-doc-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:go1.21-race-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-doc-1.21.11-150000.1.36.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.21-race-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-doc-1.21.11-150000.1.36.1 openSUSE Leap 15.5:go1.21-race-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-doc-1.21.11-150000.1.36.1 openSUSE Leap 15.6:go1.21-race-1.21.11-150000.1.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241969-1/ https://www.suse.com/security/cve/CVE-2024-24790.html CVE-2024-24790 https://bugzilla.suse.com/1225974 SUSE Bug 1225974