Overview

File _patchinfo of Package patchinfo.31406

<patchinfo incident="31406">
  <issue tracker="bnc" id="1212669">go1.21+ toolchains change default GOTOOLCHAIN=auto to local to prevent downloading upstream go1.x toolchain binaries</issue>
  <issue tracker="bnc" id="1216944">VUL-0: CVE-2023-45284: go1.20,go1.21: path/filepath: recognize device names with trailing spaces and superscripts</issue>
  <issue tracker="bnc" id="1215985">VUL-0: CVE-2023-39323: go1.20,go1.21: cmd/go: line directives allows arbitrary execution during build</issue>
  <issue tracker="bnc" id="1215086">VUL-0: CVE-2023-39320: go1.21: cmd/go: go.mod toolchain directive allows arbitrary execution</issue>
  <issue tracker="bnc" id="1215087">VUL-0: CVE-2023-39321: CVE-2023-39322: go1.21: crypto/tls: panic when processing post-handshake message on QUIC connections</issue>
  <issue tracker="bnc" id="1215090">go1.20,go1.21: Go toolchain packages missing src/cmd/vendor/github.com/google/pprof/internal/driver/html/</issue>
  <issue tracker="bnc" id="1212667">go1.21 packages are missing go.env file to set toolchain defaults</issue>
  <issue tracker="bnc" id="1215085">VUL-0: CVE-2023-39319: go1.20,go1.21: html/template: improper handling of special tags within script contexts</issue>
  <issue tracker="bnc" id="1216109">VUL-0: CVE-2023-39325: go1.20,go1.21: net/http: rapid stream resets can cause excessive work</issue>
  <issue tracker="bnc" id="1215084">VUL-0: CVE-2023-39318: go1.20,go1.21: html/template: improper handling of HTML-like comments within script contexts</issue>
  <issue tracker="bnc" id="1212475">go1.21 release tracking</issue>
  <issue tracker="bnc" id="1216943">VUL-0: CVE-2023-45283: go1.20,go1.21: path/filepath: recognize \??\ as a Root Local Device path prefix</issue>
  <issue tracker="cve" id="2023-39322"/>
  <issue tracker="cve" id="2023-39319"/>
  <issue tracker="cve" id="2023-39323"/>
  <issue tracker="cve" id="2023-45284"/>
  <issue tracker="cve" id="2023-39325"/>
  <issue tracker="cve" id="2023-39320"/>
  <issue tracker="cve" id="2023-39318"/>
  <issue tracker="cve" id="2023-39321"/>
  <issue tracker="cve" id="2023-44487"/>
  <issue tracker="cve" id="2023-45283"/>
  <issue tracker="jsc" id="SLE-18320"/>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.21-openssl</summary>
  <description>This update for go1.21-openssl fixes the following issues:

Update to version 1.21.4.1 cut from the go1.21-openssl-fips
branch at the revision tagged go1.21.4-1-openssl-fips.

* Update to go1.21.4


go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.

* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* spec: update unification rules
* cmd/compile: internal compiler error: expected struct value to have type struct
* cmd/link: split text sections for arm 32-bit
* runtime: MADV_COLLAPSE causes production performance issues on Linux
* go/types, x/tools/go/ssa: panic: type param without replacement encountered
* cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* net/http: http2 page fails on firefox/safari if pushing resources


Initial package go1.21-openssl version 1.21.3.1 cut from the
go1.21-openssl-fips branch at the revision tagged
go1.21.3-1-openssl-fips.  (jsc#SLE-18320)

* Go upstream merged branch dev.boringcrypto in go1.19+.
* In go1.x enable BoringCrypto via GOEXPERIMENT=boringcrypto.
* In go1.x-openssl enable FIPS mode (or boring mode as the
  package is named) either via an environment variable
  GOLANG_FIPS=1 or by virtue of booting the host in FIPS mode.
* When the operating system is operating in FIPS mode, Go
  applications which import crypto/tls/fipsonly limit operations
  to the FIPS ciphersuite.
* go1.x-openssl is delivered as two large patches to go1.x
  applying necessary modifications from the golang-fips/go GitHub
  project for the Go crypto library to use OpenSSL as the
  external cryptographic library in a FIPS compliant way.
* go1.x-openssl modifies the crypto/* packages to use OpenSSL for
  cryptographic operations.
* go1.x-openssl uses dlopen() to call into OpenSSL.
* SUSE RPM packaging introduces a fourth version digit go1.x.y.z
  corresponding to the golang-fips/go patchset tagged revision.
* Patchset improvements can be updated independently of upstream
  Go maintenance releases.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places