- go1.15.13 (released 2021-06-03) includes security fixes to the
archive/zip, math/big, net, and net/http/httputil packages, as
well as bug fixes to the linker, the go command, and the math/big
and net/http packages.
CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198
Refs boo#1175132 go1.15 release tracking
* boo#1187443 go#46241 CVE-2021-33195
* go#46356 net: Lookup functions may return invalid host names
* go#46531 net: Unix dnsclient test for CVE-2021-33195 assumes that 1.2.3.4 does not resolve
* boo#1186622 go#46242 CVE-2021-33196
* go#46396 archive/zip: malformed archive may cause panic or memory exhaustion
* boo#1187444 go#46313 CVE-2021-33197
* go#46314 net/http/httputil: ReverseProxy forwards Connection headers if first one is empty
* boo#1187445 go#45910 CVE-2021-33198
* go#46305 math/big: (*Rat).SetString with "1.770p02041010010011001001" crashes with "makeslice: len out of range"
* go#46143 cmd/go: error out of 'go mod tidy' if the go.mod file specifies a newer-than-supported Go version
* go#46127 cmd/link: internal error when externally linking very large binaries
* go#46002 cmd/link: SIGSEGV running 'openshift-install version' for release-4.8 using external linking on PPC64LE
* go#45335 math/big: Int.Lsh gives wrong results on s390x for n>=128 (forwarded request 900521 from jfkw)