Overview

File _patchinfo of Package patchinfo.28127

<patchinfo incident="28127">
  <issue tracker="bnc" id="1208271">VUL-0: TRACKERBUG: CVE-2022-41724: go1.19,go1.20: crypto/tls: large handshake records may cause panics</issue>
  <issue tracker="bnc" id="1208272">VUL-0: TRACKERBUG: CVE-2022-41725: go1.19,go1.20: net/http, mime/multipart: denial of service from excessive resource consumption</issue>
  <issue tracker="bnc" id="1208270">VUL-0: TRACKERBUG: CVE-2022-41723: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding</issue>
  <issue tracker="bnc" id="1200441">go1.19 release tracking</issue>
  <issue tracker="bnc" id="1208269">VUL-0: CVE-2022-41722: go1.19,go1.20: path/filepath: path traversal in filepath.Clean on Windows</issue>
  <issue tracker="cve" id="2022-41725"/>
  <issue tracker="cve" id="2022-41722"/>
  <issue tracker="cve" id="2022-41723"/>
  <issue tracker="cve" id="2022-41724"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.19</summary>
  <description>This update for go1.19 fixes the following issues:

- CVE-2022-41722: Fixed path traversal in filepath.Clean on Windows (bsc#1208269).
- CVE-2022-41723: Fixed quadratic complexity in HPACK decoding (bsc#1208270).
- CVE-2022-41724: Fixed panic with arge handshake records in crypto/tls (bsc#1208271).
- CVE-2022-41725: Fixed denial of service from excessive resource consumption in net/http and mime/multipart (bsc#1208272).

Update to go1.19.6:
* go#57275 bsc#1208269 security: fix CVE-2022-41722
* go#58355 bsc#1208270 security: fix CVE-2022-41723
* go#58358 bsc#1208271 security: fix CVE-2022-41724
* go#58362 bsc#1208272 security: fix CVE-2022-41725
* go#56154 net/http: bad handling of HEAD requests with a body
* go#57635 crypto/x509: TestBoringAllowCert failures
* go#57812 runtime: performance regression due to bad instruction used in morestack_noctxt for ppc64 in CL 425396
* go#58118 time: update zoneinfo_abbrs on Windows
* go#58223 cmd/link: .go.buildinfo is gc'ed by --gc-sections
* go#58449 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing
  
Update to go1.19.5 (bsc#1200441):
* go#57706 Misc/cgo: backport needed for dlltool fix
* go#57556 crypto/x509: re-allow duplicate attributes in CSRs
* go#57444 cmd/link: need to handle new-style LoongArch relocs
* go#57427 crypto/x509: Verify on macOS does not return typed errors
* go#57345 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
* go#57339 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
* go#57214 os: TestLstat failure on Linux Aarch64
* go#57212 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
* go#57124 sync/atomic: allow linked lists of atomic.Pointer
* go#57100 cmd/compile: non-retpoline-compatible errors
* go#57058 cmd/go: remove test dependency on gopkg.in service
* go#57055 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
* go#56983 runtime: failure in TestRaiseException on windows-amd64-2012
* go#56834 cmd/link/internal/ppc64: too-far trampoline is reused
* go#56770 cmd/compile: walkConvInterface produces broken IR
* go#56744 cmd/compile: internal compiler error: missing typecheck
* go#56712 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
* go#56154 net/http: bad handling of HEAD requests with a body
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places