SUSE-SU-2020:2761-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20202761-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:2761-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:2761-1
Related
Published
2020-09-28T07:24:52Z
Modified
2020-09-28T07:24:52Z
Summary
Security update for go1.14
Details

This update for go1.14 fixes the following issues:

  • go1.14.9 (released 2020-09-09) includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages. Refs bsc#1164903 go1.14 release tracking

    • go#41192 net/http/fcgi: race detected during execution of TestResponseWriterSniffsContentType test
    • go#41016 net/http: Transport.CancelRequest no longer cancels in-flight request
    • go#40973 net/http: RoundTrip unexpectedly changes Request
    • go#40968 runtime: checkptr incorrectly -race flagging when using &^ arithmetic
    • go#40938 cmd/compile: R12 can be clobbered for write barrier call on PPC64
    • go#40848 testing: '=== PAUSE' lines do not change the test name for the next log line
    • go#40797 cmd/compile: inline marker targets not reachable after assembly on arm
    • go#40766 cmd/compile: inline marker targets not reachable after assembly on ppc64x
    • go#40501 cmd/compile: for range loop reading past slice end
    • go#40411 runtime: Windows service lifecycle events behave incorrectly when called within a golang environment
    • go#40398 runtime: fatal error: checkdead: runnable g
    • go#40192 runtime: pageAlloc.searchAddr may point to unmapped memory in discontiguous heaps, violating its invariant
    • go#39955 cmd/link: incorrect GC bitmap when global's type is in another shared object
    • go#39690 cmd/compile: s390x floating point <-> integer conversions clobbering the condition code
    • go#39279 net/http: Re-connect with upgraded HTTP2 connection fails to send Request.body
    • go#38904 doc: include fix for #34437 in Go 1.14 release notes
  • go1.14.8 (released 2020-09-01) includes security fixes to the net/http/cgi and net/http/fcgi packages. CVE-2020-24553 Refs bsc#1164903 go1.14 release tracking

    • bsc#1176031 CVE-2020-24553
    • go#41164 net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
References

Affected packages

SUSE:Linux Enterprise Module for Development Tools 15 SP1 / go1.14

Package

Name
go1.14
Purl
purl:rpm/suse/go1.14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.14.9-1.18.1

Ecosystem specific

{
    "binaries": [
        {
            "go1.14-doc": "1.14.9-1.18.1",
            "go1.14": "1.14.9-1.18.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Development Tools 15 SP2 / go1.14

Package

Name
go1.14
Purl
purl:rpm/suse/go1.14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.14.9-1.18.1

Ecosystem specific

{
    "binaries": [
        {
            "go1.14-doc": "1.14.9-1.18.1",
            "go1.14": "1.14.9-1.18.1"
        }
    ]
}