Security update for go1.14

Announcement ID:	SUSE-SU-2020:2761-1
Rating:	moderate
References:	bsc#1164903 bsc#1176031
Cross-References:	CVE-2020-24553
CVSS scores:	CVE-2020-24553 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-24553 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:	Development Tools Module 15-SP2 Development Tools Module 15-SP1 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.0 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.0 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.0 SUSE Manager Server 4.1

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for go1.14 fixes the following issues:

• go1.14.9 (released 2020-09-09) includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages. Refs bsc#1164903 go1.14 release tracking
• go#41192 net/http/fcgi: race detected during execution of TestResponseWriterSniffsContentType test
• go#41016 net/http: Transport.CancelRequest no longer cancels in-flight request
• go#40973 net/http: RoundTrip unexpectedly changes Request
• go#40968 runtime: checkptr incorrectly -race flagging when using &^ arithmetic
• go#40938 cmd/compile: R12 can be clobbered for write barrier call on PPC64
• go#40848 testing: "=== PAUSE" lines do not change the test name for the next log line
• go#40797 cmd/compile: inline marker targets not reachable after assembly on arm
• go#40766 cmd/compile: inline marker targets not reachable after assembly on ppc64x
• go#40501 cmd/compile: for range loop reading past slice end
• go#40411 runtime: Windows service lifecycle events behave incorrectly when called within a golang environment
• go#40398 runtime: fatal error: checkdead: runnable g
• go#40192 runtime: pageAlloc.searchAddr may point to unmapped memory in discontiguous heaps, violating its invariant
• go#39955 cmd/link: incorrect GC bitmap when global's type is in another shared object
• go#39690 cmd/compile: s390x floating point <-> integer conversions clobbering the condition code
• go#39279 net/http: Re-connect with upgraded HTTP2 connection fails to send Request.body

• go#38904 doc: include fix for #34437 in Go 1.14 release notes

• go1.14.8 (released 2020-09-01) includes security fixes to the net/http/cgi and net/http/fcgi packages. CVE-2020-24553 Refs bsc#1164903 go1.14 release tracking

• bsc#1176031 CVE-2020-24553
• go#41164 net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Development Tools Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-2761=1
• Development Tools Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-2761=1

Package List:

• Development Tools Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • go1.14-doc-1.14.9-1.18.1
  • go1.14-1.14.9-1.18.1
• Development Tools Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • go1.14-doc-1.14.9-1.18.1
  • go1.14-1.14.9-1.18.1

References:

• https://www.suse.com/security/cve/CVE-2020-24553.html
• https://bugzilla.suse.com/show_bug.cgi?id=1164903
• https://bugzilla.suse.com/show_bug.cgi?id=1176031