Security update for go1.17

Announcement ID:	SUSE-SU-2022:0723-1
Rating:	important
References:	bsc#1190649 bsc#1195834 bsc#1195835 bsc#1195838
Cross-References:	CVE-2022-23772 CVE-2022-23773 CVE-2022-23806
CVSS scores:	CVE-2022-23772 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-23772 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-23773 ( SUSE ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVE-2022-23773 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-23806 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-23806 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Products:	Development Tools Module 15-SP3 SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2

An update that solves three vulnerabilities and has one security fix can now be installed.

Description:

This update for go1.17 fixes the following issues:

• CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
• CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
• CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

• go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements
• go#50701 math/big: Rat.SetString may consume large amount of RAM and crash
• go#50687 cmd/go: do not treat branches with semantic-version names as releases
• go#50942 cmd/asm: "compile: loop" compiler bug?
• go#50867 cmd/compile: incorrect use of CMN on arm64
• go#50812 cmd/go: remove bitbucket VCS probing
• go#50781 runtime: incorrect frame information in traceback traversal may hang the process.
• go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
• go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
• go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
• go#50297 cmd/link: does not set section type of .init_array correctly
• go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of "plugin" Package

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Development Tools Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-723=1
• SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-723=1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-723=1
• SUSE Linux Enterprise Real Time 15 SP2
  zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-723=1
• SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-723=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-723=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-723=1
• SUSE Manager Proxy 4.1
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-723=1
• SUSE Manager Retail Branch Server 4.1
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-723=1
• SUSE Manager Server 4.1
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-723=1
• SUSE Enterprise Storage 7
  zypper in -t patch SUSE-Storage-7-2022-723=1

Package List:

• Development Tools Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• Development Tools Module 15-SP3 (aarch64 x86_64)
  • go1.17-race-1.17.7-1.20.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 (aarch64 x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise Real Time 15 SP2 (x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 (x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • go1.17-race-1.17.7-1.20.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
  • go1.17-race-1.17.7-1.20.1
• SUSE Manager Proxy 4.1 (x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Manager Retail Branch Server 4.1 (x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Manager Server 4.1 (ppc64le s390x x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1
• SUSE Manager Server 4.1 (x86_64)
  • go1.17-race-1.17.7-1.20.1
• SUSE Enterprise Storage 7 (aarch64 x86_64)
  • go1.17-1.17.7-1.20.1
  • go1.17-race-1.17.7-1.20.1
  • go1.17-doc-1.17.7-1.20.1

References:

• https://www.suse.com/security/cve/CVE-2022-23772.html
• https://www.suse.com/security/cve/CVE-2022-23773.html
• https://www.suse.com/security/cve/CVE-2022-23806.html
• https://bugzilla.suse.com/show_bug.cgi?id=1190649
• https://bugzilla.suse.com/show_bug.cgi?id=1195834
• https://bugzilla.suse.com/show_bug.cgi?id=1195835
• https://bugzilla.suse.com/show_bug.cgi?id=1195838