File _patchinfo of Package patchinfo.16032
<patchinfo incident="16032">
<issue tracker="cve" id="2020-16845"/>
<issue tracker="cve" id="2020-14039"/>
<issue tracker="cve" id="2020-15586"/>
<issue tracker="bnc" id="1169832">armv6hl: Go applications fails with "Illegal instruction (core dumped)"</issue>
<issue tracker="bnc" id="1174191">VUL-1: CVE-2020-14039: golang: X.509 verification ignores provided EKUs on Windows</issue>
<issue tracker="bnc" id="1149259">go1.13 release tracking</issue>
<issue tracker="bnc" id="1172868">golang doesn't honour /usr/etc/nsswitch.conf</issue>
<issue tracker="bnc" id="1170826">Go packages miss binutils-gold dependency</issue>
<issue tracker="bnc" id="1174153">VUL-0: CVE-2020-15586: golang: data race in certain net/http servers including ReverseProxy can lead to DoS</issue>
<issue tracker="bnc" id="1174977">(CVE-2020-16845) VUL-0: CVE-2020-16845: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs</issue>
<packager>jfkw</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for go1.13</summary>
<description>This update for go1.13 fixes the following issues:
- go1.13 was updated to version 1.13.5
- CVE-2020-16845: dUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (bsc#1174977).
- go1.13.14 (released 2020/07/16) includes fixes to the compiler,
vet, and the database/sql, net/http, and reflect packages
Refs bsc#1149259 go1.13 release tracking
* go#39925 net/http: panic on misformed If-None-Match Header with http.ServeContent
* go#39848 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes
* go#39823 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15
* go#39697 reflect: panic from malloc after MakeFunc function returns value that is also stored globally
* go#39561 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it tries to use an older version of dlv which only supports linux/amd64
* go#39538 net: TestDialParallel is flaky on windows-amd64-longtest
* go#39287 cmd/vet: update for new number formats
- go1.13.13 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages addressing the following CVE:
CVE-2020-15586 CVE-2020-14039
Refs bsc#1174153 bsc#1174191
Refs bsc#1149259 go1.13 release tracking
* bsc#1174153 CVE-2020-15586
* bsc#1174191 CVE-2020-14039 (Windows only)
* go#40211 net/http: Expect 100-continue panics in httputil.ReverseProxy
* go#40209 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows
- Packaging improvements for update-alternatives priority,
%license tag, and permissions in %files macro section.
* update-alternatives increment priority on this and subsequent
go1.x versions using priority = 20 + (minor version) i.e.
go1.13 = 33, go1.14 = 34, etc.
* Use %license tag for LICENSE keep %doc for suse_version < 1500
* Remove %defattr(-,root,root,-) in %files
- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is
not present bsc#1172868 gh#golang/go#35305
* add go1.x-prefer-etc-hosts-over-dns.patch
* Patch renamed and fields added per packaging guidelines
on 2020-07-15 by Jeff Kowalczyk <jkowalczyk@suse.com>
* Patch can likely be dropped for go1.16 in February 2021
- Ensure ARM arch is set properly - bsc#1169832
- Document (and clean up) LLVM snapshotting for go-race.
- Update _service to no longer fetch Go from git.
- go1.13.12 (released 2020/06/01) includes fixes to the runtime,
and the go/types and math/big packages.
Refs bsc#1149259.
* go#38932 runtime: preemption in startTemplateThread may cause infinite hang
* go#36689 go/types, math/big: data race in go/types due to math/big.Rat accessors unsafe for concurrent use
- go1.13.11 (released 2020/05/14) includes fixes to the compiler.
Refs bsc#1149259.
* go#38442 cmd/compile: unexpected nil dereference on s390x
- Requires binutils-gold for %arm and aarch64 - bsc#1170826
- go1.13.10 (released 2020/04/08) includes fixes to the go command,
the runtime, os/exec, and time packages.
Refs bsc#1149259.
* go#38236 time: NewTicker will not emit ticks at a frequency greater than 1/sec on qemu user mode ppc64le
* go#38082 cmd/go/internal/test: data race in (*runCache).builderRunTest
* go#37901 cmd/compile/internal/syntax: TestStdLib verbosely broken on Windows
* go#37895 os: TestRemoveAllWithMoreErrorThanReqSize is failing on Plan 9 and Windows
* go#37892 net/http: TestCancelRequestWithChannelBeforeDo_Cancel failure on Windows long test
* go#37802 cmd/go: 'Access is denied' when renaming module cache directory
* go#37483 runtime: "fatal error: unexpected signal" 0xC0000005 on Windows for a small program with a large allocation
* go#37433 os/exec: environForSysProcAttr is never called as sysattr.Env is never nil
* go#37230 PowerRegisterSuspendResumeNotification error on Azure App Services with go 1.13.7
- go1.13.9 (released 2020/03/19) includes fixes to the go command,
tools, the runtime, the toolchain, and the crypto/cypher package.
Refs bsc#1149259.
* go#37826 internal/syscall/windows/registry: TestWalkFullRegistry failing on windows-amd64-longtest
* go#37821 cmd/go: module's "go" version should be included in cache key
* go#37417 crypto/cipher: NewGCMWithNonceSize allows zero-length nonce
* go#37342 cmd/trace: requires HTML imports, which doesn't work on any major browser anymore
* go#36846 cmd/link: system linker warnings on macOS 10.14 when using cgo
- Packaging sync accumulated changes from go1.12
Refs bsc#1149259.
- Use gcc9 by default by updating define gcc_go_version 9 (was 8)
* drop unneeded patch gcc8-go.patch
- Fix broken go_api evaluation (1.12 < 1.5, when evaluated as floats),
let RPM evaluate the expression, drop no longer required bc.
- Own the gdbinit.d directory, avoid the build dependency on gdb.
- Add %ifarch %arm aarch64 BuildRequires: binutils-gold to fix
/usr/lib64/go/{version}/pkg/tool/linux_arm64/link: running gcc failed: exit status 1
collect2: fatal error: cannot find 'ld'-
</description>
</patchinfo>
