Overview

File _patchinfo of Package patchinfo.9716

<patchinfo incident="9716">
  <issue tracker="bnc" id="1118899">VUL-0: EMBARGOED: CVE-2018-16875: go: crypto/x509: CPU denial of service</issue>
  <issue tracker="bnc" id="1118898">VUL-0: EMBARGOED: CVE-2018-16874: go: cmd/go: directory traversal</issue>
  <issue tracker="bnc" id="1118897">VUL-0: EMBARGOED: CVE-2018-16873: go: cmd/go: remote command execution</issue>
  <issue tracker="bnc" id="1082409">Major regression in usability of go package</issue>
  <issue tracker="bnc" id="1098017">go1.10 fails to rebuild on Leap15 ppc64le</issue>
  <issue tracker="bnc" id="1113978">go 1.10 fails to build on ppc64le</issue>
  <issue id="1119634" tracker="bnc">go: multi-version installation is broken on version switch</issue>
  <issue id="1119706" tracker="bnc">go get broken for   import path patterns containing "..."</issue>
  <issue tracker="cve" id="2018-16873"/>
  <issue tracker="cve" id="2018-16874"/>
  <issue tracker="cve" id="2018-16875"/>
  <category>security</category>
  <rating>important</rating>
  <packager>cyphar</packager>
  <description>This update for go1.10 fixes the following issues:

Security vulnerabilities fixed:

- CVE-2018-16873 (bsc#1118897): cmd/go: remote command execution during "go get -u".
- CVE-2018-16874 (bsc#1118898): cmd/go: directory traversal in "go get" via curly braces in import paths
- CVE-2018-16875 (bsc#1118899): crypto/x509: CPU denial of service

Other issues fixed:

- Fix build error with PIE linker flags on ppc64le. (bsc#1113978, bsc#1098017)
- Review dependencies (requires, recommends and supports) (bsc#1082409)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
  between versions no longer break. This ends up removing the need for go.sh
  entirely (because GOPATH is also set automatically) (boo#1119634)
- Fix a regression that broke go get for import path patterns containing "..."
  (bsc#1119706)

It should be noted that Go is not provided as a tool for SLES (it's only used
for builds), and thus only CVE-2018-16875 has an impact on packages shipped by
SUSE.
</description>
  <summary>Security update for go1.10, patchinfo</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places