File _patchinfo of Package patchinfo

<patchinfo incident="9327">
  <issue tracker="bnc" id="1118899">VUL-0: CVE-2018-16875: go: crypto/x509: CPU denial of service</issue>
  <issue tracker="bnc" id="1118898">VUL-0: CVE-2018-16874: go: cmd/go: directory traversal</issue>
  <issue tracker="bnc" id="1118897">VUL-0: CVE-2018-16873: go: cmd/go: remote command execution</issue>
  <issue tracker="bnc" id="1113978">go 1.10 fails to build on ppc64le</issue>
  <issue tracker="bnc" id="1098017">go1.10 fails to rebuild on Leap15 ppc64le</issue>
  <issue tracker="cve" id="2018-16873"/>
  <issue tracker="cve" id="2018-16875"/>
  <issue tracker="cve" id="2018-16874"/>
  <issue tracker="bnc" id="1119634">go: multi-version installation is broken on version switch</issue>
  <issue tracker="bnc" id="1119706">go get broken for   import path patterns containing "..."</issue>
  <category>security</category>
  <rating>important</rating>
  <packager>jordimassaguerpla</packager>
  <description>This new package for go1.11 fixes the following issues:
  
Security issues fixed:

- CVE-2018-16873: Fixed a remote code execution in go get, when executed with the -u flag (bsc#1118897)
- CVE-2018-16874: Fixed an arbitrary filesystem write in go get, which could lead to code execution (bsc#1118898)
- CVE-2018-16875: Fixed a Denial of Service in the crypto/x509 package during certificate chain validation(bsc#1118899)

Non-security issues fixed:

- Fixed build error with PIE linker flags on ppc64le (bsc#1113978 bsc#1098017)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
  between versions no longer break. This ends up removing the need for go.sh
  entirely (because GOPATH is also set automatically) (bsc#1119634)
    
The following tracked regression fix is included:

- Fix a regression that broke go get for import path patterns containing "..." (bsc#1119706)
</description>
  <summary>Security update for go1.11</summary>
</patchinfo>