File _patchinfo of Package patchinfo.28056

<patchinfo incident="28056">
  <issue tracker="bnc" id="1208723">Customer asking about golang vulns in SLES 15 SP2 packages</issue>
  <issue tracker="bnc" id="1195391">identify and declare bash dependencies explicitly</issue>
  <issue tracker="bnc" id="1202101">Update Google GCE packages to latest versions in SLE-15</issue>
  <issue tracker="bnc" id="1194319">google-osconfig-agent incorrect package spec</issue>
  <issue tracker="bnc" id="1202826">google-guest-agent update fails during patch installation: error during %post install script</issue>
  <issue tracker="bnc" id="1202100">Update Google GCE packages to latest versions in SLE-12</issue>
  <issue tracker="bnc" id="1191468">VUL-0: CVE-2021-38297: go1.15,go1.16,go1.17: misc/wasm, cmd/link: do not let command line args overwrite global data</issue>
  <issue tracker="bnc" id="1195838">VUL-0: CVE-2022-23806: go1.17,go1.16: golang: crypto/elliptic IsOnCurve returns true for invalid field elements</issue>
  <issue tracker="cve" id="2021-38297"/>
  <issue tracker="cve" id="2022-23806"/>
  <packager>rjschwei</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for google-osconfig-agent</summary>
  <description>This update for google-osconfig-agent fixes the following issues:

  Updated to version 20230222.00 (bsc#1202100, bsc#1202101) and bumped go API version to 1.18 to address the following (bsc#1208723):

  - CVE-2021-38297: Fixed data overwrite when passing large arguments to GOARCH=wasm GOOS=js (bsc#1191468).
  - CVE-2022-23806: Fixed Curve.IsOnCurve to incorrectly return true (bsc#1195838).

  Bugfixes:
  
  - Fixed missing install command in %post section to create state file (bsc#1202826).
  - Avoid bashim in post install scripts (bsc#1195391).
  - Don't restart daemon on package upgrade, create a state file instead (bsc#1194319).

</description>
</patchinfo>