Security update for go1.18-openssl

Announcement ID:	SUSE-SU-2023:2312-1
Rating:	important
References:	bsc#1183043 bsc#1193742 bsc#1198423 bsc#1198424 bsc#1198427 bsc#1199413 bsc#1200134 bsc#1200135 bsc#1200136 bsc#1200137 bsc#1201434 bsc#1201436 bsc#1201437 bsc#1201440 bsc#1201443 bsc#1201444 bsc#1201445 bsc#1201447 bsc#1201448 bsc#1202035 bsc#1203185 bsc#1204023 bsc#1204024 bsc#1204025 bsc#1204941 bsc#1206134 bsc#1206135 bsc#1208270 bsc#1208271 bsc#1208272 bsc#1208491 jsc#PED-1962
Cross-References:	CVE-2022-1705 CVE-2022-1962 CVE-2022-24675 CVE-2022-27536 CVE-2022-27664 CVE-2022-28131 CVE-2022-28327 CVE-2022-2879 CVE-2022-2880 CVE-2022-29526 CVE-2022-29804 CVE-2022-30580 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30634 CVE-2022-30635 CVE-2022-32148 CVE-2022-32189 CVE-2022-41715 CVE-2022-41716 CVE-2022-41717 CVE-2022-41720 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
CVSS scores:	CVE-2022-1705 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2022-1705 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2022-1962 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-1962 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-24675 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-24675 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27536 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27536 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-28131 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-28131 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-28327 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-28327 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-2879 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-2879 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-2880 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-2880 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-29526 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-29526 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-29804 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2022-29804 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-30580 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-30580 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-30629 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-30629 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2022-30630 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30630 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30631 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30631 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30632 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30632 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30633 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30633 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30634 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-30634 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30635 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-30635 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32148 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-32148 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2022-32189 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-32189 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41716 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVE-2022-41716 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-41717 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41717 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-41720 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41724 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41724 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41725 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-41725 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Development Tools Module 15-SP4 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves 28 vulnerabilities, contains one feature and has three security fixes can now be installed.

Description:

This update for go1.18-openssl fixes the following issues:

• Add subpackage go1.x-libstd compiled shared object libstd.so (jsc#PED-1962)
• Main go1.x package included libstd.so in previous versions
• Split libstd.so into subpackage that can be installed standalone
• Continues the slimming down of main go1.x package by 40 Mb
• Experimental and not recommended for general use, Go currently has no ABI
• Upstream Go has not committed to support buildmode=shared long-term
• Do not use in packaging, build static single binaries (the default)
• Upstream Go go1.x binary releases do not include libstd.so
• go1.x Suggests go1.x-libstd so not installed by default Recommends
• go1.x-libstd does not Require: go1.x so can install standalone
• Provides go-libstd unversioned package name
• Fix build step -buildmode=shared std to omit -linkshared
• Packaging improvements:
• go1.x Suggests go1.x-doc so not installed by default Recommends

• Use Group: Development/Languages/Go instead of Other

• Improvements to go1.x packaging spec:

• On Tumbleweed bootstrap with current default gcc13 and gccgo118
• On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap using go1.x package (%bcond_without gccgo). This is no longer needed on current SLE-12:Update and removing will consolidate the build configurations used.
• Change source URLs to go.dev as per Go upstream
• On x86_64 export GOAMD64=v1 as per the current baseline. At this time forgo GOAMD64=v3 option for x86_64_v3 support.

• On x86_64 %define go_amd64=v1 as current instruction baseline

• Update to version 1.18.10.1 cut from the go1.18-openssl-fips branch at the revision tagged go1.18.10-1-openssl-fips.

• Merge branch dev.boringcrypto.go1.18 into go1.18-openssl-fips

• Merge go1.18.10 into dev.boringcrypto.go1.18

• go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the linker, and the crypto/x509, net/http, and syscall packages. Refs bsc#1193742 go1.18 release tracking

• go#57705 misc/cgo: backport needed for dlltool fix
• go#57426 crypto/x509: Verify on macOS does not return typed errors
• go#57344 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
• go#57338 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
• go#57213 os: TestLstat failure on Linux Aarch64
• go#57211 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
• go#57057 cmd/go: remove test dependency on gopkg.in service
• go#57054 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
• go#57044 cgo: malformed DWARF TagVariable entry
• go#57028 cmd/cgo: Wrong types in compiler errors with clang 14
• go#56833 cmd/link/internal/ppc64: too-far trampoline is reused
• go#56711 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
• go#56323 net/http: bad handling of HEAD requests with a body

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-2312=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-2312=1
• Development Tools Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-2312=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-2312=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-2312=1
• SUSE Linux Enterprise Real Time 15 SP3
  zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-2312=1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-2312=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-2312=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2023-2312=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• openSUSE Leap 15.4 (aarch64 x86_64)
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• openSUSE Leap 15.5 (aarch64 x86_64)
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
• Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• Development Tools Module 15-SP4 (aarch64 x86_64)
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 x86_64)
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • go1.18-openssl-1.18.10.1-150000.1.9.1
  • go1.18-openssl-doc-1.18.10.1-150000.1.9.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
  • go1.18-openssl-race-1.18.10.1-150000.1.9.1