Overview

File _patchinfo of Package patchinfo.16445

<patchinfo incident="16445">
  <issue tracker="bnc" id="1176031">VUL-0: CVE-2020-24553: go net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified</issue>
  <issue tracker="bnc" id="1164903">go1.14 release tracking</issue>
  <issue tracker="cve" id="2020-24553"/>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.14</summary>
  <description>This update for go1.14 fixes the following issues:

- go1.14.9 (released 2020-09-09) includes fixes to the compiler,
  linker, runtime, documentation, and the net/http and testing
  packages.
  Refs bsc#1164903 go1.14 release tracking
  * go#41192 net/http/fcgi: race detected during execution of TestResponseWriterSniffsContentType test
  * go#41016 net/http: Transport.CancelRequest no longer cancels in-flight request
  * go#40973 net/http: RoundTrip unexpectedly changes Request
  * go#40968 runtime: checkptr incorrectly -race flagging when using &amp;^ arithmetic
  * go#40938 cmd/compile: R12 can be clobbered for write barrier call on PPC64
  * go#40848 testing: "=== PAUSE" lines do not change the test name for the next log line
  * go#40797 cmd/compile: inline marker targets not reachable after assembly on arm
  * go#40766 cmd/compile: inline marker targets not reachable after assembly on ppc64x
  * go#40501 cmd/compile: for range loop reading past slice end
  * go#40411 runtime: Windows service lifecycle events behave incorrectly when called within a golang environment
  * go#40398 runtime: fatal error: checkdead: runnable g
  * go#40192 runtime: pageAlloc.searchAddr may point to unmapped memory in discontiguous heaps, violating its invariant
  * go#39955 cmd/link: incorrect GC bitmap when global's type is in another shared object
  * go#39690 cmd/compile: s390x floating point &lt;-&gt; integer conversions clobbering the condition code
  * go#39279 net/http: Re-connect with upgraded HTTP2 connection fails to send Request.body
  * go#38904 doc: include fix for #34437 in Go 1.14 release notes

- go1.14.8 (released 2020-09-01) includes security fixes to the
  net/http/cgi and net/http/fcgi packages.
  CVE-2020-24553
  Refs bsc#1164903 go1.14 release tracking
  * bsc#1176031 CVE-2020-24553
  * go#41164 net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places