SUSE 5149 Published by

SUSE Linux has announced the release of multiple security updates, which encompass moderate updates for openssl-1_1, openssl-3, Linux Kernel (Live Patch 21 for SLE 15 SP4), Linux Kernel (Live Patch 46 for SLE 15 SP3), grafana, python310-pytest-html, pgadmin4, go1.23-openssl, and python310-pytest-html:

SUSE-SU-2024:3765-1: moderate: Security update for openssl-1_1
SUSE-SU-2024:3766-1: important: Security update for openssl-3
SUSE-SU-2024:3777-1: important: Security update for the Linux Kernel (Live Patch 21 for SLE 15 SP4)
SUSE-SU-2024:3779-1: important: Security update for the Linux Kernel (Live Patch 46 for SLE 15 SP3)
openSUSE-SU-2024:14431-1: moderate: grafana-11.3.0-1.1 on GA media
openSUSE-SU-2024:14433-1: moderate: python310-pytest-html-4.1.1-3.1 on GA media
SUSE-SU-2024:3771-1: important: Security update for pgadmin4
SUSE-SU-2024:3773-1: important: Security update for go1.23-openssl
SUSE-SU-2024:3774-1: important: Security update for the Linux Kernel (Live Patch 45 for SLE 15 SP3)




SUSE-SU-2024:3765-1: moderate: Security update for openssl-1_1


# Security update for openssl-1_1

Announcement ID: SUSE-SU-2024:3765-1
Release Date: 2024-10-29T01:34:21Z
Rating: moderate
References:

* bsc#1220262

Cross-References:

* CVE-2023-50782

CVSS scores:

* CVE-2023-50782 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* Basesystem Module 15-SP5
* openSUSE Leap 15.5
* openSUSE Leap Micro 5.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for openssl-1_1 fixes the following issues:

* CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2024-3765=1 openSUSE-SLE-15.5-2024-3765=1

* openSUSE Leap Micro 5.5
zypper in -t patch openSUSE-Leap-Micro-5.5-2024-3765=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2024-3765=1

* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-3765=1

## Package List:

* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
* libopenssl1_1-debuginfo-1.1.1l-150500.17.37.1
* openssl-1_1-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-1.1.1l-150500.17.37.1
* openssl-1_1-debugsource-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-1.1.1l-150500.17.37.1
* libopenssl1_1-1.1.1l-150500.17.37.1
* openssl-1_1-debuginfo-1.1.1l-150500.17.37.1
* openSUSE Leap 15.5 (x86_64)
* libopenssl1_1-32bit-debuginfo-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-32bit-1.1.1l-150500.17.37.1
* libopenssl1_1-32bit-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-32bit-1.1.1l-150500.17.37.1
* openSUSE Leap 15.5 (noarch)
* openssl-1_1-doc-1.1.1l-150500.17.37.1
* openSUSE Leap 15.5 (aarch64_ilp32)
* libopenssl1_1-hmac-64bit-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-64bit-1.1.1l-150500.17.37.1
* libopenssl1_1-64bit-1.1.1l-150500.17.37.1
* libopenssl1_1-64bit-debuginfo-1.1.1l-150500.17.37.1
* openSUSE Leap Micro 5.5 (aarch64 s390x x86_64)
* libopenssl1_1-debuginfo-1.1.1l-150500.17.37.1
* openssl-1_1-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-1.1.1l-150500.17.37.1
* openssl-1_1-debugsource-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-1.1.1l-150500.17.37.1
* libopenssl1_1-1.1.1l-150500.17.37.1
* openssl-1_1-debuginfo-1.1.1l-150500.17.37.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* libopenssl1_1-debuginfo-1.1.1l-150500.17.37.1
* openssl-1_1-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-1.1.1l-150500.17.37.1
* openssl-1_1-debugsource-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-1.1.1l-150500.17.37.1
* libopenssl1_1-1.1.1l-150500.17.37.1
* openssl-1_1-debuginfo-1.1.1l-150500.17.37.1
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* libopenssl1_1-debuginfo-1.1.1l-150500.17.37.1
* openssl-1_1-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-1.1.1l-150500.17.37.1
* openssl-1_1-debugsource-1.1.1l-150500.17.37.1
* libopenssl-1_1-devel-1.1.1l-150500.17.37.1
* libopenssl1_1-1.1.1l-150500.17.37.1
* openssl-1_1-debuginfo-1.1.1l-150500.17.37.1
* Basesystem Module 15-SP5 (x86_64)
* libopenssl1_1-32bit-debuginfo-1.1.1l-150500.17.37.1
* libopenssl1_1-32bit-1.1.1l-150500.17.37.1
* libopenssl1_1-hmac-32bit-1.1.1l-150500.17.37.1

## References:

* https://www.suse.com/security/cve/CVE-2023-50782.html
* https://bugzilla.suse.com/show_bug.cgi?id=1220262



SUSE-SU-2024:3766-1: important: Security update for openssl-3


# Security update for openssl-3

Announcement ID: SUSE-SU-2024:3766-1
Release Date: 2024-10-29T01:34:36Z
Rating: important
References:

* bsc#1220262
* bsc#1230698

Cross-References:

* CVE-2023-50782
* CVE-2024-41996

CVSS scores:

* CVE-2023-50782 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-41996 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-41996 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP5
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves two vulnerabilities can now be installed.

## Description:

This update for openssl-3 fixes the following issues:

* CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)
* CVE-2024-41996: Avoid expensive public key validation for known safe-prime
groups (DHEATATTACK) (bsc#1230698)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2024-3766=1 openSUSE-SLE-15.5-2024-3766=1

* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-3766=1

## Package List:

* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
* libopenssl-3-devel-3.0.8-150500.5.48.1
* openssl-3-debugsource-3.0.8-150500.5.48.1
* libopenssl3-debuginfo-3.0.8-150500.5.48.1
* openssl-3-3.0.8-150500.5.48.1
* libopenssl3-3.0.8-150500.5.48.1
* openssl-3-debuginfo-3.0.8-150500.5.48.1
* openSUSE Leap 15.5 (x86_64)
* libopenssl-3-devel-32bit-3.0.8-150500.5.48.1
* libopenssl3-32bit-debuginfo-3.0.8-150500.5.48.1
* libopenssl3-32bit-3.0.8-150500.5.48.1
* openSUSE Leap 15.5 (noarch)
* openssl-3-doc-3.0.8-150500.5.48.1
* openSUSE Leap 15.5 (aarch64_ilp32)
* libopenssl-3-devel-64bit-3.0.8-150500.5.48.1
* libopenssl3-64bit-3.0.8-150500.5.48.1
* libopenssl3-64bit-debuginfo-3.0.8-150500.5.48.1
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* libopenssl-3-devel-3.0.8-150500.5.48.1
* openssl-3-debugsource-3.0.8-150500.5.48.1
* libopenssl3-debuginfo-3.0.8-150500.5.48.1
* openssl-3-3.0.8-150500.5.48.1
* libopenssl3-3.0.8-150500.5.48.1
* openssl-3-debuginfo-3.0.8-150500.5.48.1

## References:

* https://www.suse.com/security/cve/CVE-2023-50782.html
* https://www.suse.com/security/cve/CVE-2024-41996.html
* https://bugzilla.suse.com/show_bug.cgi?id=1220262
* https://bugzilla.suse.com/show_bug.cgi?id=1230698



SUSE-SU-2024:3777-1: important: Security update for the Linux Kernel (Live Patch 21 for SLE 15 SP4)


# Security update for the Linux Kernel (Live Patch 21 for SLE 15 SP4)

Announcement ID: SUSE-SU-2024:3777-1
Release Date: 2024-10-29T17:03:52Z
Rating: important
References:

* bsc#1225011
* bsc#1225012
* bsc#1225309
* bsc#1225311
* bsc#1225819
* bsc#1227471
* bsc#1231353

Cross-References:

* CVE-2021-47598
* CVE-2023-52752
* CVE-2024-35862
* CVE-2024-35863
* CVE-2024-35864
* CVE-2024-35867

CVSS scores:

* CVE-2021-47598 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2021-47598 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35862 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35863 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35864 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35867 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Live Patching 15-SP4
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves six vulnerabilities and has one security fix can now be
installed.

## Description:

This update for the Linux Kernel 5.14.21-150400_24_100 fixes several issues.

The following security issues were fixed:

* CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init()
(bsc#1227471).
* CVE-2024-35863: Fixed potential UAF in is_valid_oplock_break()
(bsc#1225011).
* CVE-2023-52752: smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225819).
* CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted()
(bsc#1225311).
* CVE-2024-35867: Fixed potential UAF in cifs_stats_proc_show() (bsc#1225012).
* CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break()
(bsc#1225309).
* Intermittent nfs mount failures (may be due to SUNRPC over UDP)
(bsc#1231353)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-3777=1

* SUSE Linux Enterprise Live Patching 15-SP4
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2024-3777=1

## Package List:

* openSUSE Leap 15.4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_100-default-13-150400.2.1
* kernel-livepatch-5_14_21-150400_24_100-default-debuginfo-13-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_21-debugsource-13-150400.2.1
* SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_100-default-13-150400.2.1
* kernel-livepatch-5_14_21-150400_24_100-default-debuginfo-13-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_21-debugsource-13-150400.2.1

## References:

* https://www.suse.com/security/cve/CVE-2021-47598.html
* https://www.suse.com/security/cve/CVE-2023-52752.html
* https://www.suse.com/security/cve/CVE-2024-35862.html
* https://www.suse.com/security/cve/CVE-2024-35863.html
* https://www.suse.com/security/cve/CVE-2024-35864.html
* https://www.suse.com/security/cve/CVE-2024-35867.html
* https://bugzilla.suse.com/show_bug.cgi?id=1225011
* https://bugzilla.suse.com/show_bug.cgi?id=1225012
* https://bugzilla.suse.com/show_bug.cgi?id=1225309
* https://bugzilla.suse.com/show_bug.cgi?id=1225311
* https://bugzilla.suse.com/show_bug.cgi?id=1225819
* https://bugzilla.suse.com/show_bug.cgi?id=1227471
* https://bugzilla.suse.com/show_bug.cgi?id=1231353



SUSE-SU-2024:3779-1: important: Security update for the Linux Kernel (Live Patch 46 for SLE 15 SP3)


# Security update for the Linux Kernel (Live Patch 46 for SLE 15 SP3)

Announcement ID: SUSE-SU-2024:3779-1
Release Date: 2024-10-29T19:03:47Z
Rating: important
References:

* bsc#1227471
* bsc#1227651
* bsc#1228573

Cross-References:

* CVE-2021-47291
* CVE-2021-47598
* CVE-2024-41059

CVSS scores:

* CVE-2021-47291 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2021-47598 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2021-47598 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-41059 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-41059 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-41059 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise Live Patching 15-SP3
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves three vulnerabilities can now be installed.

## Description:

This update for the Linux Kernel 5.3.18-150300_59_167 fixes several issues.

The following security issues were fixed:

* CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init()
(bsc#1227471).
* CVE-2021-47291: ipv6: fix another slab-out-of-bounds in
fib6_nh_flush_exceptions (bsc#1227651).
* CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228573).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2024-3779=1

* SUSE Linux Enterprise Live Patching 15-SP3
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2024-3779=1

## Package List:

* openSUSE Leap 15.3 (ppc64le s390x x86_64)
* kernel-livepatch-5_3_18-150300_59_167-default-3-150300.7.6.1
* kernel-livepatch-5_3_18-150300_59_167-default-debuginfo-3-150300.7.6.1
* kernel-livepatch-SLE15-SP3_Update_46-debugsource-3-150300.7.6.1
* openSUSE Leap 15.3 (x86_64)
* kernel-livepatch-5_3_18-150300_59_167-preempt-debuginfo-3-150300.7.6.1
* kernel-livepatch-5_3_18-150300_59_167-preempt-3-150300.7.6.1
* SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64)
* kernel-livepatch-5_3_18-150300_59_167-default-3-150300.7.6.1

## References:

* https://www.suse.com/security/cve/CVE-2021-47291.html
* https://www.suse.com/security/cve/CVE-2021-47598.html
* https://www.suse.com/security/cve/CVE-2024-41059.html
* https://bugzilla.suse.com/show_bug.cgi?id=1227471
* https://bugzilla.suse.com/show_bug.cgi?id=1227651
* https://bugzilla.suse.com/show_bug.cgi?id=1228573



openSUSE-SU-2024:14431-1: moderate: grafana-11.3.0-1.1 on GA media


# grafana-11.3.0-1.1 on GA media

Announcement ID: openSUSE-SU-2024:14431-1
Rating: moderate

Cross-References:

* CVE-2024-8118
* CVE-2024-9264

CVSS scores:

* CVE-2024-8118 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
* CVE-2024-9264 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2024-9264 ( SUSE ): 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the grafana-11.3.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* grafana 11.3.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2024-8118.html
* https://www.suse.com/security/cve/CVE-2024-9264.html



openSUSE-SU-2024:14433-1: moderate: python310-pytest-html-4.1.1-3.1 on GA media


# python310-pytest-html-4.1.1-3.1 on GA media

Announcement ID: openSUSE-SU-2024:14433-1
Rating: moderate

Cross-References:

* CVE-2024-48948

CVSS scores:

* CVE-2024-48948 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2024-48948 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python310-pytest-html-4.1.1-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python310-pytest-html 4.1.1-3.1
* python311-pytest-html 4.1.1-3.1
* python312-pytest-html 4.1.1-3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-48948.html



SUSE-SU-2024:3771-1: important: Security update for pgadmin4


# Security update for pgadmin4

Announcement ID: SUSE-SU-2024:3771-1
Release Date: 2024-10-29T12:55:39Z
Rating: important
References:

* bsc#1224295
* bsc#1224366
* bsc#1226967
* bsc#1227248
* bsc#1227252
* bsc#1229423
* bsc#1229861
* bsc#1230928
* bsc#1231564
* bsc#1231684

Cross-References:

* CVE-2024-38355
* CVE-2024-38998
* CVE-2024-38999
* CVE-2024-39338
* CVE-2024-4067
* CVE-2024-4068
* CVE-2024-43788
* CVE-2024-48948
* CVE-2024-48949
* CVE-2024-9014

CVSS scores:

* CVE-2024-38355 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-38998 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2024-38998 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-38998 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-38999 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2024-39338 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2024-39338 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2024-39338 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-4067 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-4068 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-43788 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
* CVE-2024-43788 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2024-43788 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2024-48948 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2024-48948 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2024-48949 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-48949 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
* CVE-2024-48949 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2024-9014 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-9014 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-9014 ( NVD ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6
* Python 3 Module 15-SP6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 10 vulnerabilities can now be installed.

## Description:

This update for pgadmin4 fixes the following issues:

* CVE-2024-38355: Fixed socket.io: unhandled 'error' event (bsc#1226967)
* CVE-2024-38998: Fixed requirejs: prototype pollution via function config
(bsc#1227248)
* CVE-2024-38999: Fixed requirejs: prototype pollution via function
s.contexts._.configure (bsc#1227252)
* CVE-2024-39338: Fixed axios: server-side request forgery due to requests for
path relative URLs being processed as protocol relative URLs in axios
(bsc#1229423)
* CVE-2024-4067: Fixed micromatch: vulnerable to Regular Expression Denial of
Service (ReDoS) (bsc#1224366)
* CVE-2024-4068: Fixed braces: fails to limit the number of characters it can
handle, which could lead to Memory Exhaustion (bsc#1224295)
* CVE-2024-43788: Fixed webpack: DOM clobbering gadget in
AutoPublicPathRuntimeModule could lead to XSS (bsc#1229861)
* CVE-2024-48948: Fixed elliptic: ECDSA signature verification error due to
leading zero may reject legitimate transactions in elliptic (bsc#1231684)
* CVE-2024-48949: Fixed elliptic: Missing Validation in Elliptic's EDDSA
Signature Verification (bsc#1231564)
* CVE-2024-9014: Fixed OAuth2 issue that could lead to information leak
(bsc#1230928)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-3771=1 openSUSE-SLE-15.6-2024-3771=1

* Python 3 Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2024-3771=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* pgadmin4-desktop-8.5-150600.3.6.1
* system-user-pgadmin-8.5-150600.3.6.1
* pgadmin4-doc-8.5-150600.3.6.1
* pgadmin4-cloud-8.5-150600.3.6.1
* pgadmin4-8.5-150600.3.6.1
* pgadmin4-web-uwsgi-8.5-150600.3.6.1
* Python 3 Module 15-SP6 (noarch)
* pgadmin4-8.5-150600.3.6.1
* system-user-pgadmin-8.5-150600.3.6.1
* pgadmin4-doc-8.5-150600.3.6.1

## References:

* https://www.suse.com/security/cve/CVE-2024-38355.html
* https://www.suse.com/security/cve/CVE-2024-38998.html
* https://www.suse.com/security/cve/CVE-2024-38999.html
* https://www.suse.com/security/cve/CVE-2024-39338.html
* https://www.suse.com/security/cve/CVE-2024-4067.html
* https://www.suse.com/security/cve/CVE-2024-4068.html
* https://www.suse.com/security/cve/CVE-2024-43788.html
* https://www.suse.com/security/cve/CVE-2024-48948.html
* https://www.suse.com/security/cve/CVE-2024-48949.html
* https://www.suse.com/security/cve/CVE-2024-9014.html
* https://bugzilla.suse.com/show_bug.cgi?id=1224295
* https://bugzilla.suse.com/show_bug.cgi?id=1224366
* https://bugzilla.suse.com/show_bug.cgi?id=1226967
* https://bugzilla.suse.com/show_bug.cgi?id=1227248
* https://bugzilla.suse.com/show_bug.cgi?id=1227252
* https://bugzilla.suse.com/show_bug.cgi?id=1229423
* https://bugzilla.suse.com/show_bug.cgi?id=1229861
* https://bugzilla.suse.com/show_bug.cgi?id=1230928
* https://bugzilla.suse.com/show_bug.cgi?id=1231564
* https://bugzilla.suse.com/show_bug.cgi?id=1231684



SUSE-SU-2024:3773-1: important: Security update for go1.23-openssl


# Security update for go1.23-openssl

Announcement ID: SUSE-SU-2024:3773-1
Release Date: 2024-10-29T13:54:32Z
Rating: important
References:

* bsc#1229122
* bsc#1230252
* bsc#1230253
* bsc#1230254
* jsc#SLE-18320

Cross-References:

* CVE-2024-34155
* CVE-2024-34156
* CVE-2024-34158

CVSS scores:

* CVE-2024-34155 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34156 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34156 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34158 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-34158 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Development Tools Module 15-SP5
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves three vulnerabilities, contains one feature and has one
security fix can now be installed.

## Description:

This update for go1.23-openssl fixes the following issues:

This update ships go1.23-openssl version 1.23.2.2. (jsc#SLE-18320)

* go1.23.2 (released 2024-10-01) includes fixes to the compiler, cgo, the
runtime, and the maps, os, os/exec, time, and unique packages.

* go#69119 os: double close pidfd if caller uses pidfd updated by
os.StartProcess

* go#69156 maps: segmentation violation in maps.Clone
* go#69219 cmd/cgo: alignment issue with int128 inside of a struct
* go#69240 unique: fatal error: found pointer to free object
* go#69333 runtime,time: timer.Stop returns false even when no value is read
from the channel
* go#69383 unique: large string still referenced, after interning only a small
substring
* go#69402 os/exec: resource leak on exec failure
* go#69511 cmd/compile: mysterious crashes and non-determinism with range over
func

* Update to version 1.23.1.1 cut from the go1.23-fips-release branch at the
revision tagged go1.23.1-1-openssl-fips.

* Update to Go 1.23.1 (#238)

* go1.23.1 (released 2024-09-05) includes security fixes to the encoding/gob,
go/build/constraint, and go/parser packages, as well as bug fixes to the
compiler, the go command, the runtime, and the database/sql, go/types, os,
runtime/trace, and unique packages.

CVE-2024-34155 CVE-2024-34156 CVE-2024-34158:

* go#69143 go#69138 bsc#1230252 security: fix CVE-2024-34155 go/parser: stack
exhaustion in all Parse* functions
* go#69145 go#69139 bsc#1230253 security: fix CVE-2024-34156 encoding/gob:
stack exhaustion in Decoder.Decode
* go#69149 go#69141 bsc#1230254 security: fix CVE-2024-34158
go/build/constraint: stack exhaustion in Parse
* go#68812 os: TestChtimes failures
* go#68894 go/types: 'under' panics on Alias type
* go#68905 cmd/compile: error in Go 1.23.0 with generics, type aliases and
indexing
* go#68907 os: CopyFS overwrites existing file in destination.
* go#68973 cmd/cgo: aix c-archive corrupting stack
* go#68992 unique: panic when calling unique.Make with string casted as any
* go#68994 cmd/go: any invocation creates read-only telemetry configuration
file under GOMODCACHE
* go#68995 cmd/go: multi-arch build via qemu fails to exec go binary
* go#69041 database/sql: panic in database/sql.(*connRequestSet).deleteIndex
* go#69087 runtime/trace: crash during traceAdvance when collecting call stack
for cgo-calling goroutine
* go#69094 cmd/go: breaking change in 1.23rc2 with version constraints in
GOPATH mode

* go1.23 (released 2024-08-13) is a major release of Go. go1.23.x minor
releases will be provided through August 2025.
https://github.com/golang/go/wiki/Go-Release-Cycle go1.23 arrives six months
after go1.22. Most of its changes are in the implementation of the
toolchain, runtime, and libraries. As always, the release maintains the Go 1
promise of compatibility. We expect almost all Go programs to continue to
compile and run as before.

* Language change: Go 1.23 makes the (Go 1.22) "range-over-func" experiment a
part of the language. The "range" clause in a "for-range" loop now accepts
iterator functions of the following types: func(func() bool) func(func(K)
bool) func(func(K, V) bool) as range expressions. Calls of the iterator
argument function produce the iteration values for the "for-range" loop. For
details see the iter package documentation and the language spec. For
motivation see the 2022 "range-over-func" discussion.

* Language change: Go 1.23 includes preview support for generic type aliases.
Building the toolchain with GOEXPERIMENT=aliastypeparams enables this
feature within a package. (Using generic alias types across package
boundaries is not yet supported.)
* Opt-in Telemetry: Starting in Go 1.23, the Go toolchain can collect usage
and breakage statistics that help the Go team understand how the Go
toolchain is used and how well it is working. We refer to these statistics
as Go telemetry. Go telemetry is an opt-in system, controlled by the go
telemetry command. By default, the toolchain programs collect statistics in
counter files that can be inspected locally but are otherwise unused (go
telemetry local). To help us keep Go working well and understand Go usage,
please consider opting in to Go telemetry by running go telemetry on. In
that mode, anonymous counter reports are uploaded to telemetry.go.dev
weekly, where they are aggregated into graphs and also made available for
download by any Go contributors or users wanting to analyze the data. See
"Go Telemetry" for more details about the Go Telemetry system.
* go command: Setting the GOROOT_FINAL environment variable no longer has an
effect (#62047). Distributions that install the go command to a location
other than $GOROOT/bin/go should install a symlink instead of relocating or
copying the go binary.
* go command: The new go env -changed flag causes the command to print only
those settings whose effective value differs from the default value that
would be obtained in an empty environment with no prior uses of the -w flag.
* go command: The new go mod tidy -diff flag causes the command not to modify
the files but instead print the necessary changes as a unified diff. It
exits with a non-zero code if updates are needed.
* go command: The go list -m -json command now includes new Sum and GoModSum
fields. This is similar to the existing behavior of the go mod download
-json command.
* go command: The new godebug directive in go.mod and go.work declares a
GODEBUG setting to apply for the work module or workspace in use.
* go vet: The go vet subcommand now includes the stdversion analyzer, which
flags references to symbols that are too new for the version of Go in effect
in the referring file. (The effective version is determined by the go
directive in the file's enclosing go.mod file, and by any //go:build
constraints in the file.) For example, it will report a diagnostic for a
reference to the reflect.TypeFor function (introduced in go1.22) from a file
in a module whose go.mod file specifies go 1.21.
* cgo: cmd/cgo supports the new -ldflags flag for passing flags to the C
linker. The go command uses it automatically, avoiding "argument list too
long" errors with a very large CGO_LDFLAGS.
* go trace: The trace tool now better tolerates partially broken traces by
attempting to recover what trace data it can. This functionality is
particularly helpful when viewing a trace that was collected during a
program crash, since the trace data leading up to the crash will now be
recoverable under most circumstances.
* Runtime: The traceback printed by the runtime after an unhandled panic or
other fatal error now indents the second and subsequent lines of the error
message (for example, the argument to panic) by a single tab, so that it can
be unambiguously distinguished from the stack trace of the first goroutine.
See go#64590 for discussion.
* Compiler: The build time overhead to building with Profile Guided
Optimization has been reduced significantly. Previously, large builds could
see 100%+ build time increase from enabling PGO. In Go 1.23, overhead should
be in the single digit percentages.
* Compiler: The compiler in Go 1.23 can now overlap the stack frame slots of
local variables accessed in disjoint regions of a function, which reduces
stack usage for Go applications.
* Compiler: For 386 and amd64, the compiler will use information from PGO to
align certain hot blocks in loops. This improves performance an additional
1-1.5% at a cost of an additional 0.1% text and binary size. This is
currently only implemented on 386 and amd64 because it has not shown an
improvement on other platforms. Hot block alignment can be disabled with
-gcflags=[=]-d=alignhot=0.
* Linker: The linker now disallows using a //go:linkname directive to refer to
internal symbols in the standard library (including the runtime) that are
not marked with //go:linkname on their definitions. Similarly, the linker
disallows references to such symbols from assembly code. For backward
compatibility, existing usages of //go:linkname found in a large open-source
code corpus remain supported. Any new references to standard library
internal symbols will be disallowed.
* Linker: A linker command line flag -checklinkname=0 can be used to disable
this check, for debugging and experimenting purposes.
* Linker: When building a dynamically linked ELF binary (including PIE
binary), the new -bindnow flag enables immediate function binding.
* Standard library changes:
* timer: 1.23 makes two significant changes to the implementation of
time.Timer and time.Ticker. First, Timers and Tickers that are no longer
referred to by the program become eligible for garbage collection
immediately, even if their Stop methods have not been called. Earlier
versions of Go did not collect unstopped Timers until after they had fired
and never collected unstopped Tickers. Second, the timer channel associated
with a Timer or Ticker is now unbuffered, with capacity 0. The main effect
of this change is that Go now guarantees that for any call to a Reset or
Stop method, no stale values prepared before that call will be sent or
received after the call. Earlier versions of Go used channels with a one-
element buffer, making it difficult to use Reset and Stop correctly. A
visible effect of this change is that len and cap of timer channels now
returns 0 instead of 1, which may affect programs that poll the length to
decide whether a receive on the timer channel will succeed. Such code should
use a non-blocking receive instead. These new behaviors are only enabled
when the main Go program is in a module with a go.mod go line using Go
1.23.0 or later. When Go 1.23 builds older programs, the old behaviors
remain in effect. The new GODEBUG setting asynctimerchan=1 can be used to
revert back to asynchronous channel behaviors even when a program names Go
1.23.0 or later in its go.mod file.
* unique: The new unique package provides facilities for canonicalizing values
(like "interning" or "hash-consing"). Any value of comparable type may be
canonicalized with the new Make[T] function, which produces a reference to a
canonical copy of the value in the form of a Handle[T]. Two Handle[T] are
equal if and only if the values used to produce the handles are equal,
allowing programs to deduplicate values and reduce their memory footprint.
Comparing two Handle[T] values is efficient, reducing down to a simple
pointer comparison.
* iter: The new iter package provides the basic definitions for working with
user-defined iterators.
* slices: The slices package adds several functions that work with iterators:
* All returns an iterator over slice indexes and values.
* Values returns an iterator over slice elements.
* Backward returns an iterator that loops over a slice backward.
* Collect collects values from an iterator into a new slice.
* AppendSeq appends values from an iterator to an existing slice.
* Sorted collects values from an iterator into a new slice, and then sorts the slice.
* SortedFunc is like Sorted but with a comparison function.
* SortedStableFunc is like SortFunc but uses a stable sort algorithm.
* Chunk returns an iterator over consecutive sub-slices of up to n elements of a slice.
* maps: The maps package adds several functions that work with iterators:
* All returns an iterator over key-value pairs from a map.
* Keys returns an iterator over keys in a map.
* Values returns an iterator over values in a map.
* Insert adds the key-value pairs from an iterator to an existing map.
* Collect collects key-value pairs from an iterator into a new map and returns it.
* structs: The new structs package provides types for struct fields that
modify properties of the containing struct type such as memory layout. In
this release, the only such type is HostLayout which indicates that a
structure with a field of that type has a layout that conforms to host
platform expectations.
* Minor changes to the standard library: As always, there are various minor
changes and updates to the library, made with the Go 1 promise of
compatibility in mind.
* archive/tar: If the argument to FileInfoHeader implements the new
FileInfoNames interface, then the interface methods will be used to set the
Uname/Gname of the file header. This allows applications to override the
system-dependent Uname/Gname lookup.
* crypto/tls: The TLS client now supports the Encrypted Client Hello draft
specification. This feature can be enabled by setting the
Config.EncryptedClientHelloConfigList field to an encoded ECHConfigList for
the host that is being connected to.
* crypto/tls: The QUICConn type used by QUIC implementations includes new
events reporting on the state of session resumption, and provides a way for
the QUIC layer to add data to session tickets and session cache entries.
* crypto/tls: 3DES cipher suites were removed from the default list used when
Config.CipherSuites is nil. The default can be reverted by adding tls3des=1
to the GODEBUG environment variable.
* crypto/tls: The experimental post-quantum key exchange mechanism
X25519Kyber768Draft00 is now enabled by default when Config.CurvePreferences
is nil. The default can be reverted by adding tlskyber=0 to the GODEBUG
environment variable.
* crypto/tls: Go 1.23 changed the behavior of X509KeyPair and LoadX509KeyPair
to populate the Certificate.Leaf field of the returned Certificate. The new
x509keypairleaf GODEBUG setting is added for this behavior.
* crypto/x509: CreateCertificateRequest now correctly supports RSA-PSS
signature algorithms.
* crypto/x509: CreateCertificateRequest and CreateRevocationList now verify
the generated signature using the signer's public key. If the signature is
invalid, an error is returned. This has been the behavior of
CreateCertificate since Go 1.16.
* crypto/x509: The x509sha1 GODEBUG setting will be removed in the next Go
major release (Go 1.24). This will mean that crypto/x509 will no longer
support verifying signatures on certificates that use SHA-1 based signature
algorithms.
* crypto/x509: The new ParseOID function parses a dot-encoded ASN.1 Object
Identifier string. The OID type now implements the encoding.BinaryMarshaler,
encoding.BinaryUnmarshaler, encoding.TextMarshaler, encoding.TextUnmarshaler
interfaces. database/sql
* crypto/x509: Errors returned by driver.Valuer implementations are now
wrapped for improved error handling during operations like DB.Query,
DB.Exec, and DB.QueryRow.
* debug/elf: The debug/elf package now defines PT_OPENBSD_NOBTCFI. This
ProgType is used to disable Branch Tracking Control Flow Integrity (BTCFI)
enforcement on OpenBSD binaries.
* debug/elf: Now defines the symbol type constants STT_RELC, STT_SRELC, and
STT_GNU_IFUNC.
* encoding/binary The new Encode and Decode functions are byte slice
equivalents to Read and Write. Append allows marshaling multiple data into
the same byte slice.
* go/ast: The new Preorder function returns a convenient iterator over all the
nodes of a syntax tree.
* go/types: The Func type, which represents a function or method symbol, now
has a Func.Signature method that returns the function's type, which is
always a Signature.
* go/types: The Alias type now has an Rhs method that returns the type on the
right-hand side of its declaration: given type A = B, the Rhs of A is B.
(go#66559)
* go/types: The methods Alias.Origin, Alias.SetTypeParams, Alias.TypeParams,
and Alias.TypeArgs have been added. They are needed for generic alias types.
* go/types: By default, go/types now produces Alias type nodes for type
aliases. This behavior can be controlled by the GODEBUG gotypesalias flag.
Its default has changed from 0 in Go 1.22 to 1 in Go 1.23.
* math/rand/v2: The Uint function and Rand.Uint method have been added. They
were inadvertently left out of Go 1.22.
* math/rand/v2: The new ChaCha8.Read method implements the io.Reader
interface.
* net: The new type KeepAliveConfig permits fine-tuning the keep-alive options
for TCP connections, via a new TCPConn.SetKeepAliveConfig method and new
KeepAliveConfig fields for Dialer and ListenConfig.
* net: The DNSError type now wraps errors caused by timeouts or cancellation.
For example, errors.Is(someDNSErr, context.DeadlineExceedeed) will now
report whether a DNS error was caused by a timeout.
* net: The new GODEBUG setting netedns0=0 disables sending EDNS0 additional
headers on DNS requests, as they reportedly break the DNS server on some
modems.
* net/http: Cookie now preserves double quotes surrounding a cookie value. The
new Cookie.Quoted field indicates whether the Cookie.Value was originally
quoted.
* net/http: The new Request.CookiesNamed method retrieves all cookies that
match the given name.
* net/http: The new Cookie.Partitioned field identifies cookies with the
Partitioned attribute.
* net/http: The patterns used by ServeMux now allow one or more spaces or tabs
after the method name. Previously, only a single space was permitted.
* net/http: The new ParseCookie function parses a Cookie header value and
returns all the cookies which were set in it. Since the same cookie name can
appear multiple times the returned Values can contain more than one value
for a given key.
* net/http: The new ParseSetCookie function parses a Set-Cookie header value
and returns a cookie. It returns an error on syntax error.
* net/http: ServeContent, ServeFile, and ServeFileFS now remove the Cache-
Control, Content-Encoding, Etag, and Last-Modified headers when serving an
error. These headers usually apply to the non-error content, but not to the
text of errors.
* net/http: Middleware which wraps a ResponseWriter and applies on-the-fly
encoding, such as Content-Encoding: gzip, will not function after this
change. The previous behavior of ServeContent, ServeFile, and ServeFileFS
may be restored by setting GODEBUG=httpservecontentkeepheaders=1. Note that
middleware which changes the size of the served content (such as by
compressing it) already does not function properly when ServeContent handles
a Range request. On-the-fly compression should use the Transfer-Encoding
header instead of Content-Encoding.
* net/http: For inbound requests, the new Request.Pattern field contains the
ServeMux pattern (if any) that matched the request. This field is not set
when GODEBUG=httpmuxgo121=1 is set.
* net/http/httptest: The new NewRequestWithContext method creates an incoming
request with a context.Context.
* net/netip: In Go 1.22 and earlier, using reflect.DeepEqual to compare an
Addr holding an IPv4 address to one holding the IPv4-mapped IPv6 form of
that address incorrectly returned true, even though the Addr values were
different when comparing with == or Addr.Compare. This bug is now fixed and
all three approaches now report the same result.
* os: The Stat function now sets the ModeSocket bit for files that are Unix
sockets on Windows. These files are identified by having a reparse tag set
to IO_REPARSE_TAG_AF_UNIX.
* os: On Windows, the mode bits reported by Lstat and Stat for reparse points
changed. Mount points no longer have ModeSymlink set, and reparse points
that are not symlinks, Unix sockets, or dedup files now always have
ModeIrregular set. This behavior is controlled by the winsymlink setting.
For Go 1.23, it defaults to winsymlink=1. Previous versions default to
winsymlink=0.
* os: The CopyFS function copies an io/fs.FS into the local filesystem.
* os: On Windows, Readlink no longer tries to normalize volumes to drive
letters, which was not always even possible. This behavior is controlled by
the winreadlinkvolume setting. For Go 1.23, it defaults to
winreadlinkvolume=1. Previous versions default to winreadlinkvolume=0.
* os: On Linux with pidfd support (generally Linux v5.4+), Process-related
functions and methods use pidfd (rather than PID) internally, eliminating
potential mistargeting when a PID is reused by the OS. Pidfd support is
fully transparent to a user, except for additional process file descriptors
that a process may have.
* path/filepath: The new Localize function safely converts a slash-separated
path into an operating system path.
* path/filepath: On Windows, EvalSymlinks no longer evaluates mount points,
which was a source of many inconsistencies and bugs. This behavior is
controlled by the winsymlink setting. For Go 1.23, it defaults to
winsymlink=1. Previous versions default to winsymlink=0.
* path/filepath: On Windows, EvalSymlinks no longer tries to normalize volumes
to drive letters, which was not always even possible. This behavior is
controlled by the winreadlinkvolume setting. For Go 1.23, it defaults to
winreadlinkvolume=1. Previous versions default to winreadlinkvolume=0.
* reflect: The new methods synonymous with the methods of the same name in
Value are added to Type:
* Type.OverflowComplex
* Type.OverflowFloat
* Type.OverflowInt
* Type.OverflowUint
* reflect: The new SliceAt function is analogous to NewAt, but for slices.
* reflect: The Value.Pointer and Value.UnsafePointer methods now support
values of kind String.
* reflect: The new methods Value.Seq and Value.Seq2 return sequences that
iterate over the value as though it were used in a for/range loop. The new
methods Type.CanSeq and Type.CanSeq2 report whether calling Value.Seq and
Value.Seq2, respectively, will succeed without panicking.
* runtime/debug: The SetCrashOutput function allows the user to specify an
alternate file to which the runtime should write its fatal crash report. It
may be used to construct an automated reporting mechanism for all unexpected
crashes, not just those in goroutines that explicitly use recover.
* runtime/pprof: The maximum stack depth for alloc, mutex, block, threadcreate
and goroutine profiles has been raised from 32 to 128 frames.
* runtime/trace: The runtime now explicitly flushes trace data when a program
crashes due to an uncaught panic. This means that more complete trace data
will be available in a trace if the program crashes while tracing is active.
* slices: The Repeat function returns a new slice that repeats the provided
slice the given number of times.
* sync: The Map.Clear method deletes all the entries, resulting in an empty
Map. It is analogous to clear.
* sync/atomic: The new And and Or operators apply a bitwise AND or OR to the
given input, returning the old value.
* syscall: The syscall package now defines WSAENOPROTOOPT on Windows.
* syscall: The GetsockoptInt function is now supported on Windows.
* testing/fstest: TestFS now returns a structured error that can be unwrapped
(via method Unwrap() []error). This allows inspecting errors using errors.Is
or errors.As.
* text/template: Templates now support the new "else with" action, which
reduces template complexity in some use cases.
* time: Parse and ParseInLocation now return an error if the time zone offset
is out of range.
* unicode/utf16: The RuneLen function returns the number of 16-bit words in
the UTF-16 encoding of the rune. It returns -1 if the rune is not a valid
value to encode in UTF-16.
* Port: Darwin: As announced in the Go 1.22 release notes, Go 1.23 requires
macOS 11 Big Sur or later; support for previous versions has been
discontinued.
* Port: Linux: Go 1.23 is the last release that requires Linux kernel version
2.6.32 or later. Go 1.24 will require Linux kernel version 3.17 or later,
with an exception that systems running 3.10 or later will continue to be
supported if the kernel has been patched to support the getrandom system
call.
* Port: OpenBSD: Go 1.23 adds experimental support for OpenBSD on 64-bit
RISC-V (GOOS=openbsd, GOARCH=riscv64).
* Port: ARM64: Go 1.23 introduces a new GOARM64 environment variable, which
specifies the minimum target version of the ARM64 architecture at compile
time. Allowed values are v8.{0-9} and v9.{0-5}. This may be followed by an
option specifying extensions implemented by target hardware. Valid options
are ,lse and ,crypto. The GOARM64 environment variable defaults to v8.0.
* Port: RISC-V: Go 1.23 introduces a new GORISCV64 environment variable, which
selects the RISC-V user-mode application profile for which to compile.
Allowed values are rva20u64 and rva22u64. The GORISCV64 environment variable
defaults to rva20u64.
* Port: Wasm: The go_wasip1_wasm_exec script in GOROOT/misc/wasm has dropped
support for versions of wasmtime < 14.0.0.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-3773=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3773=1

## Package List:

* Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* go1.23-openssl-doc-1.23.2.2-150000.1.3.1
* go1.23-openssl-debuginfo-1.23.2.2-150000.1.3.1
* go1.23-openssl-1.23.2.2-150000.1.3.1
* go1.23-openssl-race-1.23.2.2-150000.1.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* go1.23-openssl-doc-1.23.2.2-150000.1.3.1
* go1.23-openssl-debuginfo-1.23.2.2-150000.1.3.1
* go1.23-openssl-1.23.2.2-150000.1.3.1
* go1.23-openssl-race-1.23.2.2-150000.1.3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-34155.html
* https://www.suse.com/security/cve/CVE-2024-34156.html
* https://www.suse.com/security/cve/CVE-2024-34158.html
* https://bugzilla.suse.com/show_bug.cgi?id=1229122
* https://bugzilla.suse.com/show_bug.cgi?id=1230252
* https://bugzilla.suse.com/show_bug.cgi?id=1230253
* https://bugzilla.suse.com/show_bug.cgi?id=1230254
* https://jira.suse.com/browse/SLE-18320



SUSE-SU-2024:3774-1: important: Security update for the Linux Kernel (Live Patch 45 for SLE 15 SP3)


# Security update for the Linux Kernel (Live Patch 45 for SLE 15 SP3)

Announcement ID: SUSE-SU-2024:3774-1
Release Date: 2024-10-29T15:04:01Z
Rating: important
References:

* bsc#1223683
* bsc#1225309
* bsc#1225310
* bsc#1225311
* bsc#1225312
* bsc#1225819
* bsc#1226325
* bsc#1227471
* bsc#1227651
* bsc#1228573

Cross-References:

* CVE-2021-47291
* CVE-2021-47598
* CVE-2023-52752
* CVE-2024-26923
* CVE-2024-35861
* CVE-2024-35862
* CVE-2024-35864
* CVE-2024-35950
* CVE-2024-36964
* CVE-2024-41059

CVSS scores:

* CVE-2021-47291 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2021-47598 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2021-47598 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-26923 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35861 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35862 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35864 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35950 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36964 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-41059 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-41059 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-41059 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise Live Patching 15-SP3
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves 10 vulnerabilities can now be installed.

## Description:

This update for the Linux Kernel 5.3.18-150300_59_164 fixes several issues.

The following security issues were fixed:

* CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init()
(bsc#1227471).
* CVE-2023-52752: smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225819).
* CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted()
(bsc#1225311).
* CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break()
(bsc#1225309).
* CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect()
(bsc#1225312).
* CVE-2021-47291: ipv6: fix another slab-out-of-bounds in
fib6_nh_flush_exceptions (bsc#1227651).
* CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228573).
* CVE-2024-36964: fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1226325).
* CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in
__unix_gc() (bsc#1223683).
* CVE-2024-35950: drm/client: Fully protect modes with dev->mode_config.mutex
(bsc#1225310).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2024-3774=1

* SUSE Linux Enterprise Live Patching 15-SP3
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2024-3774=1

## Package List:

* openSUSE Leap 15.3 (ppc64le s390x x86_64)
* kernel-livepatch-SLE15-SP3_Update_45-debugsource-4-150300.7.6.1
* kernel-livepatch-5_3_18-150300_59_164-default-debuginfo-4-150300.7.6.1
* kernel-livepatch-5_3_18-150300_59_164-default-4-150300.7.6.1
* openSUSE Leap 15.3 (x86_64)
* kernel-livepatch-5_3_18-150300_59_164-preempt-4-150300.7.6.1
* kernel-livepatch-5_3_18-150300_59_164-preempt-debuginfo-4-150300.7.6.1
* SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64)
* kernel-livepatch-5_3_18-150300_59_164-default-4-150300.7.6.1

## References:

* https://www.suse.com/security/cve/CVE-2021-47291.html
* https://www.suse.com/security/cve/CVE-2021-47598.html
* https://www.suse.com/security/cve/CVE-2023-52752.html
* https://www.suse.com/security/cve/CVE-2024-26923.html
* https://www.suse.com/security/cve/CVE-2024-35861.html
* https://www.suse.com/security/cve/CVE-2024-35862.html
* https://www.suse.com/security/cve/CVE-2024-35864.html
* https://www.suse.com/security/cve/CVE-2024-35950.html
* https://www.suse.com/security/cve/CVE-2024-36964.html
* https://www.suse.com/security/cve/CVE-2024-41059.html
* https://bugzilla.suse.com/show_bug.cgi?id=1223683
* https://bugzilla.suse.com/show_bug.cgi?id=1225309
* https://bugzilla.suse.com/show_bug.cgi?id=1225310
* https://bugzilla.suse.com/show_bug.cgi?id=1225311
* https://bugzilla.suse.com/show_bug.cgi?id=1225312
* https://bugzilla.suse.com/show_bug.cgi?id=1225819
* https://bugzilla.suse.com/show_bug.cgi?id=1226325
* https://bugzilla.suse.com/show_bug.cgi?id=1227471
* https://bugzilla.suse.com/show_bug.cgi?id=1227651
* https://bugzilla.suse.com/show_bug.cgi?id=1228573