Overview

File _patchinfo of Package patchinfo.16432

<patchinfo incident="16432">
  <issue tracker="bnc" id="1176031">VUL-0: CVE-2020-24553: go net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified</issue>
  <issue tracker="bnc" id="1175132">go1.15 release tracking</issue>
  <issue tracker="bnc" id="1170826">Go packages miss binutils-gold dependency</issue>
  <issue tracker="cve" id="2020-24553"/>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.15</summary>
  <description>This update for go1.15 fixes the following issues:

go1.15 (released 2020-08-11)

Go 1.15 is a major release of Go.

go1.15.x minor releases will be provided through August 2021.
https://github.com/golang/go/wiki/Go-Release-Cycle
Most changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to
compile and run as before.

* See release notes https://golang.org/doc/go1.15. Excerpts
  relevant to OBS environment and for SUSE/openSUSE follow:
* Module support in the go command is ready for production use,
  and we encourage all users to migrate to Go modules for
  dependency management.
* Module cache: The location of the module cache may now be set
  with the GOMODCACHE environment variable. The default value of
  GOMODCACHE is GOPATH[0]/pkg/mod, the location of the module
  cache before this change.
* Compiler flag parsing: Various flag parsing issues in go test
  and go vet have been fixed. Notably, flags specified in
  GOFLAGS are handled more consistently, and the -outputdir flag
  now interprets relative paths relative to the working
  directory of the go command (rather than the working directory
  of each individual test).
* The GOPROXY environment variable now supports skipping proxies
  that return errors. Proxy URLs may now be separated with
  either commas (,) or pipe characters (|). If a proxy URL is
  followed by a comma, the go command will only try the next
  proxy in the list after a 404 or 410 HTTP response. If a proxy
  URL is followed by a pipe character, the go command will try
  the next proxy in the list after any error. Note that the
  default value of GOPROXY remains
  https://proxy.golang.org,direct, which does not fall back to
  direct in case of errors.
* On a Unix system, if the kill command or kill system call is
  used to send a SIGSEGV, SIGBUS, or SIGFPE signal to a Go
  program, and if the signal is not being handled via
  os/signal.Notify, the Go program will now reliably crash with
  a stack trace. In earlier releases the behavior was
  unpredictable.
* Allocation of small objects now performs much better at high
  core counts, and has lower worst-case latency.
* Go 1.15 reduces typical binary sizes by around 5% compared to
  Go 1.14 by eliminating certain types of GC metadata and more
  aggressively eliminating unused type metadata.
* The toolchain now mitigates Intel CPU erratum SKX102 on
  GOARCH=amd64 by aligning functions to 32 byte boundaries and
  padding jump instructions. While this padding increases binary
  sizes, this is more than made up for by the binary size
  improvements mentioned above.
* Go 1.15 adds a -spectre flag to both the compiler and the
  assembler, to allow enabling Spectre mitigations. These should
  almost never be needed and are provided mainly as a "defense
  in depth" mechanism. See the Spectre Go wiki page for details.
* The compiler now rejects //go: compiler directives that have
  no meaning for the declaration they are applied to with a
  "misplaced compiler directive" error. Such misapplied
  directives were broken before, but were silently ignored by
  the compiler.
* Substantial improvements to the Go linker, which reduce linker
  resource usage (both time and memory) and improve code
  robustness/maintainability. Linking is 20% faster and requires
  30% less memory on average. These changes are part of a
  multi-release project to modernize the Go linker, meaning that
  there will be additional linker improvements expected in
  future releases.
* The linker now defaults to internal linking mode for
  -buildmode=pie on linux/amd64 and linux/arm64, so these
  configurations no longer require a C linker.
* There has been progress in improving the stability and
  performance of the 64-bit RISC-V port on Linux (GOOS=linux,
  GOARCH=riscv64). It also now supports asynchronous preemption.
* crypto/x509: The deprecated, legacy behavior of treating the
  CommonName field on X.509 certificates as a host name when no
  Subject Alternative Names are present is now disabled by
  default. It can be temporarily re-enabled by adding the value
  x509ignoreCN=0 to the GODEBUG environment variable. Note that
  if the CommonName is an invalid host name, it's always
  ignored, regardless of GODEBUG settings. Invalid names include
  those with any characters other than letters, digits, hyphens
  and underscores, and those with empty labels or trailing dots.
* crypto/x509: go1.15 applications with an AWS DB instance that
  was created or updated to the rds-ca-2019 certificate prior to
  July 28, 2020, you must update the certificate again. If you
  created your DB instance or updated its certificate after July
  28, 2020, no action is required. For more information, see
  go#39568

go1.15.2 (released 2020-09-09) includes fixes to the compiler,
runtime, documentation, the go command, and the net/mail, os,
sync, and testing packages.

* go#41193 net/http/fcgi: race detected during execution of TestResponseWriterSniffsContentType test
* go#41178 doc: include fix for #34437 in Go 1.14 release notes
* go#41034 testing: Cleanup races with Logf and Errorf
* go#41011 sync: sync.Map keys will never be garbage collected
* go#40934 runtime: checkptr incorrectly -race flagging when using &amp;^ arithmetic
* go#40900 internal/poll: CopyFileRange returns EPERM on CircleCI Docker Host running 4.10.0-40-generic
* go#40868 cmd/compile: R12 can be clobbered for write barrier call on PPC64
* go#40849 testing: "=== PAUSE" lines do not change the test name for the next log line
* go#40845 runtime: Panic if newstack at runtime.acquireLockRank
* go#40805 cmd/test2json: tests that panic are marked as passing
* go#40804 net/mail: change in behavior of ParseAddressList("") in 1.15
* go#40802 cmd/go: in 1.15: change in "go test" argument parsing
* go#40798 cmd/compile: inline marker targets not reachable after assembly on arm
* go#40772 cmd/compile: compiler crashes in ssa: isNonNegative bad type
* go#40767 cmd/compile: inline marker targets not reachable after assembly on ppc64x
* go#40739 internal/poll: CopyFileRange returns ENOTSUP on Linux 3.10.0 kernel on NFS mount
* go#40412 runtime: Windows service lifecycle events behave incorrectly when called within a golang environment


go1.15.1 (released 2020-09-01) includes security fixes to the net/http/cgi and net/http/fcgi packages.

* bsc#1176031 CVE-2020-24553
* go#41165 net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places