File _patchinfo of Package patchinfo.16032

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.16032

<patchinfo incident="16032">
  <issue tracker="cve" id="2020-16845"/>
  <issue tracker="cve" id="2020-14039"/>
  <issue tracker="cve" id="2020-15586"/>
  <issue tracker="bnc" id="1169832">armv6hl: Go applications fails with "Illegal instruction (core dumped)"</issue>
  <issue tracker="bnc" id="1174191">VUL-1: CVE-2020-14039: golang: X.509 verification ignores provided EKUs on Windows</issue>
  <issue tracker="bnc" id="1149259">go1.13 release tracking</issue>
  <issue tracker="bnc" id="1172868">golang doesn't honour /usr/etc/nsswitch.conf</issue>
  <issue tracker="bnc" id="1170826">Go packages miss binutils-gold dependency</issue>
  <issue tracker="bnc" id="1174153">VUL-0: CVE-2020-15586: golang: data race in certain net/http servers including ReverseProxy can lead to DoS</issue>
  <issue tracker="bnc" id="1174977">(CVE-2020-16845) VUL-0: CVE-2020-16845: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs</issue>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.13</summary>
  <description>This update for go1.13 fixes the following issues:

- go1.13 was updated to version 1.13.5 
- CVE-2020-16845: dUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (bsc#1174977).

- go1.13.14 (released 2020/07/16) includes fixes to the compiler,
  vet, and the database/sql, net/http, and reflect packages
  Refs bsc#1149259 go1.13 release tracking
  * go#39925 net/http: panic on misformed If-None-Match Header with http.ServeContent
  * go#39848 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes
  * go#39823 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15
  * go#39697 reflect: panic from malloc after MakeFunc function returns value that is also stored globally
  * go#39561 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it tries to use an older version of dlv which only supports linux/amd64
  * go#39538 net: TestDialParallel is flaky on windows-amd64-longtest
  * go#39287 cmd/vet: update for new number formats

- go1.13.13 (released 2020/07/14) includes security fixes to the
  crypto/x509 and net/http packages addressing the following CVE:
  CVE-2020-15586 CVE-2020-14039
  Refs bsc#1174153 bsc#1174191
  Refs bsc#1149259 go1.13 release tracking
  * bsc#1174153 CVE-2020-15586
  * bsc#1174191 CVE-2020-14039 (Windows only)
  * go#40211 net/http: Expect 100-continue panics in httputil.ReverseProxy
  * go#40209 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows

- Packaging improvements for update-alternatives priority,
  %license tag, and permissions in %files macro section.
  * update-alternatives increment priority on this and subsequent
    go1.x versions using priority = 20 + (minor version) i.e.
    go1.13 = 33, go1.14 = 34, etc.
  * Use %license tag for LICENSE keep %doc for suse_version &lt; 1500
  * Remove %defattr(-,root,root,-) in %files

- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is
  not present bsc#1172868 gh#golang/go#35305
  * add go1.x-prefer-etc-hosts-over-dns.patch
  * Patch renamed and fields added per packaging guidelines
    on 2020-07-15 by Jeff Kowalczyk &lt;jkowalczyk@suse.com&gt;
  * Patch can likely be dropped for go1.16 in February 2021

- Ensure ARM arch is set properly - bsc#1169832

- Document (and clean up) LLVM snapshotting for go-race.
- Update _service to no longer fetch Go from git.

- go1.13.12 (released 2020/06/01) includes fixes to the runtime,
  and the go/types and math/big packages.
  Refs bsc#1149259.
  * go#38932 runtime: preemption in startTemplateThread may cause infinite hang
  * go#36689 go/types, math/big: data race in go/types due to math/big.Rat accessors unsafe for concurrent use

- go1.13.11 (released 2020/05/14) includes fixes to the compiler.
  Refs bsc#1149259.
  * go#38442 cmd/compile: unexpected nil dereference on s390x

- Requires binutils-gold for %arm and aarch64 - bsc#1170826

- go1.13.10 (released 2020/04/08) includes fixes to the go command,
  the runtime, os/exec, and time packages.
  Refs bsc#1149259.
  * go#38236 time: NewTicker will not emit ticks at a frequency greater than 1/sec on qemu user mode ppc64le
  * go#38082 cmd/go/internal/test: data race in (*runCache).builderRunTest
  * go#37901 cmd/compile/internal/syntax: TestStdLib verbosely broken on Windows
  * go#37895 os: TestRemoveAllWithMoreErrorThanReqSize is failing on Plan 9 and Windows
  * go#37892 net/http: TestCancelRequestWithChannelBeforeDo_Cancel failure on Windows long test
  * go#37802 cmd/go: 'Access is denied' when renaming module cache directory
  * go#37483 runtime: "fatal error: unexpected signal" 0xC0000005 on Windows for a small program with a large allocation
  * go#37433 os/exec: environForSysProcAttr is never called as sysattr.Env is never nil
  * go#37230 PowerRegisterSuspendResumeNotification error on Azure App Services with go 1.13.7

- go1.13.9 (released 2020/03/19) includes fixes to the go command,
  tools, the runtime, the toolchain, and the crypto/cypher package.
  Refs bsc#1149259.
  * go#37826 internal/syscall/windows/registry: TestWalkFullRegistry failing on windows-amd64-longtest
  * go#37821 cmd/go: module's "go" version should be included in cache key
  * go#37417 crypto/cipher: NewGCMWithNonceSize allows zero-length nonce
  * go#37342 cmd/trace: requires HTML imports, which doesn't work on any major browser anymore
  * go#36846 cmd/link: system linker warnings on macOS 10.14 when using cgo

- Packaging sync accumulated changes from go1.12
  Refs bsc#1149259.
- Use gcc9 by default by updating define gcc_go_version 9 (was 8)
  * drop unneeded patch gcc8-go.patch
- Fix broken go_api evaluation (1.12 &lt; 1.5, when evaluated as floats),
  let RPM evaluate the expression, drop no longer required bc.
- Own the gdbinit.d directory, avoid the build dependency on gdb.
- Add %ifarch %arm aarch64 BuildRequires: binutils-gold to fix
  /usr/lib64/go/{version}/pkg/tool/linux_arm64/link: running gcc failed: exit status 1
  collect2: fatal error: cannot find 'ld'-
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.16032

Places