An update that solves 10 vulnerabilities and has one errata
is now available.
Description:
This update for go1.18 fixes the following issues:
Update to go version 1.18.5 (bsc#1193742):
- CVE-2022-32189: encoding/gob, math/big: decoding big.Float and big.Rat
can panic (bsc#1202035).
- CVE-2022-1705: net/http: improper sanitization of Transfer-Encoding
header (bsc#1201434)
- CVE-2022-32148: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (bsc#1201436)
- CVE-2022-30631: compress/gzip: stack exhaustion in Reader.Read
(bsc#1201437).
- CVE-2022-30633: encoding/xml: stack exhaustion in Unmarshal
(bsc#1201440).
- CVE-2022-28131: encoding/xml: stack exhaustion in Decoder.Skip
(bsc#1201443).
- CVE-2022-30635: encoding/gob: stack exhaustion in Decoder.Decode
(bsc#1201444).
- CVE-2022-30632: path/filepath: stack exhaustion in Glob (bsc#1201445).
- CVE-2022-30630: io/fs: stack exhaustion in Glob (bsc#1201447).
- CVE-2022-1962: go/parser: stack exhaustion in all Parse* functions
(bsc#1201448).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-2672=1
-
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-2672=1
-
SUSE Linux Enterprise Module for Development Tools 15-SP4:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-2672=1
-
SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-2672=1