- go1.20.3 (released 2023-04-04) includes security fixes to the
  go/parser, html/template, mime/multipart, net/http, and
  net/textproto packages, as well as bug fixes to the compiler, the
  linker, the runtime, and the time package.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
  * go#59268 go#58975 boo#1210127 security: net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534)
  * go#59270 go#59153 boo#1210128 security: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
  * go#59274 go#59180 boo#1210129 security: go/parser: infinite loop in parsing (CVE-2023-24537)
  * go#59272 go#59234 boo#1210130 security: html/template: backticks not treated as string delimiters (CVE-2023-24538)
  * go#58920 x/text: building as a plugin failure on darwin/arm64
  * go#58938 cmd/go: timeout on darwin-amd64-race builder
  * go#58942 internal/testpty: fails on some Linux machines due to incorrect error handling
  * go#58954 cmd/link: Incorrect symbol linked in darwin/arm64
  * go#59051 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
  * go#59059 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
  * go#59075 time: time zone lookup using extend string makes wrong start time for non-DST zones
  * go#59220 runtime: crash on linux-ppc64le
  * go#59236 cmd/compile: crypto/elliptic build error under -linkshared mode
  * go#59296 cmd/compile: unsafe.SliceData incoherent resuilt with nil argument

- Build subpackage go1.20-libstd compiled shared object libstd.so
  only on Tumbleweed at this time.
  Refs jsc#PED-1962 (forwarded request 1077383 from jfkw)

• Files Changed
• Browse Source